S1123: PITSTOP
PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.[1]
Analyst context for executives and security teams
PITSTOP matters because it represents backdoor capability on a VPN appliance, not a normal endpoint. In the supplied ATT&CK context, it was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to support command execution and file read/write. For leaders, the key issue is whether externally exposed network devices have enough logging, integrity monitoring, and recovery planning to prove they are clean after compromise.
Executive priority
Treat this as a network-edge resilience and incident-readiness concern. VPN appliances often sit in the identity and remote-access path, so compromise can affect business continuity, access assurance, and audit evidence. Executives should ask whether Ivanti Connect Secure exposure is inventoried, whether appliance compromise can be investigated without endpoint EDR, and whether recovery plans cover rebuild, credential review, and validation of persistence removal.
Technical view
ATT&CK lists PITSTOP for Network Devices and relates it to Unix Shell, Deobfuscate/Decode Files or Information, Socket Filters, Inter-Process Communication, and Asymmetric Cryptography. SOC and IR teams should validate visibility for shell execution, appliance file changes, command-and-control network metadata, socket/filter behavior where available, and local process or IPC activity. MITRE provides no official detection text for PITSTOP, so local baselining and vendor/appliance telemetry become decisive.
Likely telemetry
- Ivanti Connect Secure VPN system, admin, authentication, and audit logs
- Network-device file integrity or configuration-change evidence
- Shell or command execution telemetry from the appliance, where available
- Network flow, packet capture, or firewall/proxy metadata for VPN appliance traffic
- Evidence of unusual socket/filter behavior or packet-triggered backdoor activity, if collectable
Detection direction
- Do not assume endpoint-style EDR coverage exists on the VPN appliance; confirm what the device can actually log and export.
- Baseline expected VPN appliance processes, files, outbound connections, and administrative activity, then investigate deviations.
- Prioritize evidence of unexpected Unix shell execution, unexplained file read/write activity, decoding/deobfuscation behavior, and unusual IPC relationships.
- Because related behavior includes socket filters and asymmetric cryptography, expect payload inspection to be limited; rely on metadata, timing, source/destination patterns, and device integrity evidence.
- Correlate PITSTOP-related investigation with the Cutting Edge campaign relationship and Ivanti Connect Secure compromise context, while avoiding attribution conclusions without local evidence.
Mitigation priorities
- Maintain authoritative inventory of externally exposed VPN appliances and their software state.
- Apply relevant vendor guidance and updates for Ivanti Connect Secure appliances, and validate exposure reduction for management interfaces.
- Increase logging export and retention from VPN appliances before an incident occurs.
- Use configuration and file integrity validation to support post-compromise confidence.
- Prepare IR playbooks for network-device compromise, including forensic collection, recovery or rebuild decisions, and credential/session review.
Analyst notes and limits
The supplied object is a malware entry with no official ATT&CK detection guidance and no object-level tactics. The most useful defensive context comes from the official description, the Network Devices platform, the Cutting Edge campaign relationship, and related techniques covering shell execution, decoding, socket filters, IPC, and asymmetric command-and-control.
This take is limited to the supplied ATT&CK fields, references, and relationships. It does not assert current exploitation, customer exposure, confirmed attribution in any local environment, or guaranteed detection. Local appliance configuration, logging depth, patch status, and forensic evidence are required to determine risk and coverage.
PITSTOP
PITSTOP is a backdoor that was deployed on compromised Ivanti Connect Secure VPNs during Cutting Edge to enable command execution and file read/write.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | PITSTOP has the ability to communicate over TLS.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1559 | Inter-Process Communication | PITSTOP can listen over the Unix domain socket located at `/data/runtime/cockpit/wd.fd`.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | PITSTOP has the ability to receive shell commands over a Unix domain socket.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1205.002 | Socket Filters Sub-technique | PITSTOP can listen and evaluate incoming commands on the domain socket, created by PITHOOK malware, located at `/data/runtime/cockpit/wd.fd` for a predefined magic byte sequence. PITSTOP can then duplicate the socket for further communication over TLS.CitationMandiant Cutting Edge Part 3 February 2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | PITSTOP can deobfuscate base64 encoded and AES encrypted commands.CitationMandiant Cutting Edge Part 3 February 2024 |
Groups, software, and campaigns
C0029: Cutting Edge
Cutting Edge was a campaign conducted by suspected China-nexus espionage actors, variously identified as UNC5221/UTA0178 and UNC5325, that began as early as December 2023 with the exploitation of zero-day vulnerabilities in Ivanti Connect Secure (previously Pulse Secure) VPN appliances. Cutting Edge targeted the U.S. defense industrial base and multiple sectors globally including telecommunications, financial, aerospace, and technology. Cutting Edge featured the use of defense evasion and living-off-the-land (LoTL) techniques along with the deployment of web shells and other custom malware.[1][2][3][4][5]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 0b25f63e421b… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant Cutting Edge Part 3 February 2024
Lin, M. et al. (2024, February 27). Cutting Edge, Part 3: Investigating Ivanti Connect Secure VPN Exploitation and Persistence Attempts. Retrieved March 1, 2024.
Open source URL -
[2]
mitre-attack S1123Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.