Register to stream ATT&CKcon 2.0 October 29-30


WIRTE is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.[1]

ID: G0090
Contributors: Lab52 by S2 Grupo
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information WIRTE has decoded a base64 encoded document which was embedded in a VBS script. [1]
Enterprise T1086 PowerShell WIRTE has used PowerShell for script execution. [1]
Enterprise T1117 Regsvr32 WIRTE has used Regsvr32.exe to trigger the execution of a malicious script. [1]
Enterprise T1105 Remote File Copy WIRTE has downloaded PowerShell code from the C2 server to be executed. [1]
Enterprise T1064 Scripting WIRTE has used VBS and PowerShell scripts throughout its operation. [1]
Enterprise T1071 Standard Application Layer Protocol WIRTE has used HTTP for network communication. [1]


ID Name References Techniques
S0363 Empire [1] Access Token Manipulation, Accessibility Features, Account Discovery, Browser Bookmark Discovery, Bypass User Account Control, Clipboard Data, Command-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Credentials in Files, Data Compressed, Distributed Component Object Model, DLL Search Order Hijacking, Domain Trust Discovery, Email Collection, Execution through API, Exfiltration Over Alternative Protocol, Exfiltration Over Command and Control Channel, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hooking, Input Capture, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Modify Existing Service, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, Pass the Hash, Pass the Ticket, Path Interception, PowerShell, Private Keys, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Remote Services, Scheduled Task, Screen Capture, Scripting, Security Software Discovery, Security Support Provider, Service Execution, Shortcut Modification, SID-History Injection, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Timestomp, Trusted Developer Utilities, Video Capture, Web Service, Windows Management Instrumentation