JUST RELEASED: ATT&CK for Industrial Control Systems


WIRTE is a threat group that has been active since at least August 2018. The group focuses on targeting Middle East defense and diplomats.[1]

ID: G0090
Contributors: Lab52 by S2 Grupo
Version: 1.0
Created: 24 May 2019
Last Modified: 20 June 2019

Techniques Used

Domain ID Name Use
Enterprise T1140 Deobfuscate/Decode Files or Information

WIRTE has decoded a base64 encoded document which was embedded in a VBS script.[1]

Enterprise T1086 PowerShell

WIRTE has used PowerShell for script execution.[1]

Enterprise T1117 Regsvr32

WIRTE has used Regsvr32.exe to trigger the execution of a malicious script.[1]

Enterprise T1105 Remote File Copy

WIRTE has downloaded PowerShell code from the C2 server to be executed.[1]

Enterprise T1064 Scripting

WIRTE has used VBS and PowerShell scripts throughout its operation. [1]

Enterprise T1071 Standard Application Layer Protocol

WIRTE has used HTTP for network communication. [1]


ID Name References Techniques
S0363 Empire [1] Access Token Manipulation, Accessibility Features, Account Discovery, Browser Bookmark Discovery, Bypass User Account Control, Clipboard Data, Command-Line Interface, Commonly Used Port, Component Object Model and Distributed COM, Create Account, Credential Dumping, Credentials from Web Browsers, Credentials in Files, Data Compressed, DLL Search Order Hijacking, Domain Trust Discovery, Email Collection, Execution through API, Exfiltration Over Alternative Protocol, Exfiltration Over Command and Control Channel, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hooking, Input Capture, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Modify Existing Service, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, Pass the Hash, Pass the Ticket, Path Interception, PowerShell, Private Keys, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Remote Services, Scheduled Task, Screen Capture, Scripting, Security Software Discovery, Security Support Provider, Service Execution, Shortcut Modification, SID-History Injection, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Timestomp, Trusted Developer Utilities, Video Capture, Web Service, Windows Management Instrumentation