S0272: NDiskMonitor
NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [1]
Analyst context for executives and security teams
NDiskMonitor matters because it is described by ATT&CK as a Windows .NET custom backdoor associated through ATT&CK relationships with Patchwork and with discovery plus command-and-control behaviors. For leaders, the key issue is not the malware name itself, but whether the organization can recognize a compromised Windows host being profiled, having files enumerated, receiving additional tools, and communicating over encrypted channels.
Executive priority
Treat this as a readiness check for targeted-intrusion response rather than a generic malware signature exercise. Security leaders should ask whether Windows endpoint visibility, egress monitoring, and incident response procedures can prove what user, system, file, and tool-transfer activity occurred after a suspected backdoor infection. This supports business continuity decisions, audit evidence, and prioritization of controls around endpoint monitoring, network egress governance, and investigation of suspicious discovery activity.
Technical view
ATT&CK provides no official detection text for NDiskMonitor, so SOC and IR teams should validate coverage through the related behaviors: System Owner/User Discovery, System Information Discovery, File and Directory Discovery, Ingress Tool Transfer, and Symmetric Cryptography. On Windows systems, focus on unusual .NET backdoor execution indicators, processes querying user or host details, broad file and directory enumeration, creation or download of additional tools, and outbound command-and-control traffic that appears encrypted at the application layer. Relationship context links this malware to Patchwork, but local detection should be behavior-led because ATT&CK does not provide aliases, labels, or a detection procedure for this object.
Likely telemetry
- Windows endpoint process execution and parent-child process context
- Command-line and script execution records where available
- Windows file creation, modification, and directory enumeration evidence
- User/account discovery and host/system information query activity
- Endpoint security or EDR alerts involving .NET executables or suspicious backdoor behavior
Detection direction
- Validate behavior-based detections for user discovery, system information discovery, and file/directory enumeration on Windows endpoints rather than relying on the malware name alone.
- Tune detections to separate legitimate administration and inventory activity from unusual discovery performed by unexpected processes, uncommon users, or nonstandard execution paths.
- Review egress monitoring for encrypted or opaque outbound sessions from endpoints that have also shown discovery or tool-transfer behavior.
- Correlate suspected ingress tool transfer with new file creation, process launch, and subsequent network activity.
- Use the Patchwork relationship as threat-intelligence context, not as proof of attribution in an incident without local evidence.
Mitigation priorities
- Prioritize Windows endpoint visibility and retention sufficient to reconstruct discovery, file activity, process execution, and network connections.
- Restrict and monitor unauthorized tool transfer through egress controls, proxy policy, and controlled download paths.
- Apply least-privilege and application-control practices to reduce the ability of an unexpected backdoor process to execute and stage additional tooling.
- Maintain incident response playbooks for suspected backdoor activity, including host isolation, evidence preservation, malware collection, and scope analysis.
- Use threat-informed validation exercises mapped to the related ATT&CK techniques to confirm practical SOC coverage.
Analyst notes and limits
The supplied ATT&CK object identifies NDiskMonitor as a custom .NET backdoor appearing unique to Patchwork, with Windows as the listed platform. The most useful defensive context comes from the relationships to discovery and command-and-control techniques. This take therefore emphasizes validation of observable behaviors rather than malware-family-specific signatures.
ATT&CK provides no official detection guidance, no tactics on the malware object itself, no aliases, and limited descriptive detail. The related technique descriptions are general ATT&CK technique context, not NDiskMonitor-specific procedures. Any conclusion about compromise, attribution, or detection coverage requires local telemetry and incident evidence.
NDiskMonitor
NDiskMonitor is a custom backdoor written in .NET that appears to be unique to Patchwork. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | NDiskMonitor obtains the victim username and encrypts the information to send over its C2 channel.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | NDiskMonitor can download and execute a file from given URL.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1082 | System Information Discovery | NDiskMonitor obtains the victim computer name and encrypts the information to send over its C2 channel.CitationTrendMicro Patchwork Dec 2017 |
| Enterprise | T1083 | File and Directory Discovery | NDiskMonitor can obtain a list of all files and directories as well as logical drives.CitationTrendMicro Patchwork Dec 2017 |
Groups, software, and campaigns
G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | de72d266214f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Patchwork Dec 2017
Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018.
Open source URL -
[2]
NDiskMonitor
(Citation: TrendMicro Patchwork Dec 2017)
-
[3]
mitre-attack S0272Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.