C0032: C0032
C0032 was an extended campaign suspected to involve the Triton adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the Triton Safety Instrumented System Attack.[1]
Analyst context for executives and security teams
C0032 matters because ATT&CK describes it as a 2019 extended campaign focused on gaining a foothold in IT environments and suspected to involve TRITON-related adversaries. For leaders, the key issue is not a single malware signature; it is whether remote access, credential theft, persistence, and command-and-control behaviors would be visible before an IT intrusion could create operational or critical-infrastructure risk.
Executive priority
Prioritize validation of identity security, external remote access governance, Windows credential protection, and SOC visibility for lateral movement. Because the related group context includes critical infrastructure targeting and TRITON safety-system capability, executives should ask whether IT compromise scenarios are included in operational resilience, incident response, and cyber-physical risk planning. Treat this as a readiness benchmark, not evidence of current exposure or active exploitation.
Technical view
ATT&CK provides no campaign-specific detection text, so defenders should map coverage to the related techniques: Mimikatz and LSASS memory access for credential theft; valid account use; RDP and SSH lateral movement; external remote services; scheduled tasks, IFEO injection, and web shells for persistence; PowerShell execution; file deletion, timestomping, and legitimate-looking resource names for stealth; local data staging; and non-standard ports or protocol tunneling for command and control. Validate across Windows first where many relationships apply, while also checking Linux, macOS, ESXi, network device, container, IaaS, and identity-provider visibility where those related techniques are relevant to the environment.
Likely telemetry
- Authentication logs for VPN, external remote services, identity providers, RDP, SSH, and privileged accounts
- Windows security, Sysmon or equivalent endpoint telemetry for LSASS access, process creation, PowerShell, scheduled tasks, IFEO registry changes, and file timestamp anomalies
- Web server logs and file integrity telemetry for possible web shell persistence
- Network flow, proxy, DNS, and firewall logs for non-standard port usage and protocol tunneling indicators
- File system and endpoint telemetry for local data staging, file deletion, renamed resources, and suspicious tool placement
Detection direction
- Start with identity-led correlation: successful remote logons, unusual source locations, new administrative sessions, and lateral movement using valid accounts.
- Tune detections for credential access around LSASS memory access and known credential-dumping tool behavior, while accounting for authorized security testing and administrative tooling.
- Correlate persistence signals such as scheduled task creation, IFEO debugger changes, and web-accessible scripts with preceding remote access or credential events.
- Look for stealth patterns: file deletion after tool execution, timestamp inconsistencies, and files placed or named to resemble legitimate resources.
- Review network analytics for protocol and port mismatches or tunneled traffic, but tune carefully because administrative tools and business applications may also use non-standard ports.
Mitigation priorities
- Reduce exposure of external remote services and require strong authentication, access review, and monitoring for remote access paths.
- Harden privileged identity practices, including limiting administrative logons, protecting credentials, and reviewing valid account use across remote services.
- Restrict and monitor administrative execution mechanisms such as PowerShell, scheduled tasks, and remote management channels according to business need.
- Apply persistence-focused controls on web servers and Windows hosts, including change monitoring for web content, scheduled tasks, and IFEO-related registry paths.
- Ensure network segmentation and monitoring between IT environments and sensitive operational environments where cyber-physical risk is relevant.
Analyst notes and limits
This take is based on ATT&CK campaign C0032, its cited FireEye reference, and supplied ATT&CK relationships. The campaign is related to TEMP.Veles and to techniques spanning credential access, lateral movement, persistence, stealth, collection, command and control, and resource development. The object says the campaign was distinct from the Triton Safety Instrumented System Attack, so it should be framed as IT foothold readiness with potential critical-infrastructure relevance, not as a confirmed safety-system compromise.
Platforms and tactics are not specified on the campaign object itself, and official detection guidance is not provided. Platform references come from related software and technique objects only. Local asset inventory, identity architecture, remote access design, and available telemetry are required to determine actual organizational exposure or detection coverage.
C0032
C0032 was an extended campaign suspected to involve the Triton adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the Triton Safety Instrumented System Attack.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1588.002 | Tool Sub-technique | During the C0032 campaign, TEMP.Veles obtained and used tools such as Mimikatz and PsExec.CitationFireEye TRITON 2019 |
| Enterprise | T1572 | Protocol Tunneling | During the C0032 campaign, TEMP.Veles used encrypted SSH-based PLINK tunnels to transfer tools and enable RDP connections throughout the environment.CitationFireEye TRITON 2019 |
| Enterprise | T1078 | Valid Accounts | During the C0032 campaign, TEMP.Veles used compromised VPN accounts.CitationFireEye TRITON 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During the C0032 campaign, TEMP.Veles used staging folders that are infrequently used by legitimate users or processes to store data for exfiltration and tool deployment.CitationFireEye TRITON 2019 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | During the C0032 campaign, TEMP.Veles used Virtual Private Server (VPS) infrastructure.CitationFireEye TRITON 2019 |
| Enterprise | T1021.004 | SSH Sub-technique | During the C0032 campaign, TEMP.Veles relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.CitationFireEye TRITON 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During the C0032 campaign, TEMP.Veles renamed files to look like legitimate files, such as Windows update files or Schneider Electric application files.CitationFireEye TRITON 2019 |
| Enterprise | T1505.003 | Web Shell Sub-technique | During the C0032 campaign, TEMP.Veles planted Web shells on Outlook Exchange servers.CitationFireEye TRITON 2019 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During the C0032 campaign, TEMP.Veles utilized RDP throughout an operation.CitationFireEye TRITON 2019 |
| Enterprise | T1571 | Non-Standard Port | During the C0032 campaign, TEMP.Veles used port-protocol mismatches on ports such as 443, 4444, 8531, and 50501 during C2.CitationFireEye TRITON 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | During the C0032 campaign, TEMP.Veles routinely deleted tools, logs, and other files after they were finished with them.CitationFireEye TRITON 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During the C0032 campaign, TEMP.Veles used PowerShell to perform timestomping.CitationFireEye TRITON 2019 |
| Enterprise | T1133 | External Remote Services | During the C0032 campaign, TEMP.Veles used VPN access to persist in the victim environment.CitationFireEye TRITON 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During the C0032 campaign, TEMP.Veles used scheduled task XML triggers.CitationFireEye TRITON 2019 |
| Enterprise | T1070.006 | Timestomp Sub-technique | During the C0032 campaign, TEMP.Veles used timestomping to modify the |
| Enterprise | T1546.012 | Image File Execution Options Injection Sub-technique | During the C0032 campaign, TEMP.Veles modified and added entries within |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | During the C0032 campaign, TEMP.Veles used Mimikatz and a custom tool, SecHack, to harvest credentials.CitationFireEye TRITON 2019 |
Groups, software, and campaigns
G0088: TEMP.Veles
TEMP.Veles is a Russia-based threat group that has targeted critical infrastructure. The group has been observed utilizing TRITON, a malware framework designed to manipulate industrial safety systems.[1][2][3]
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | fb56acd6c032… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye TRITON 2019
Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019.
Open source URL -
[2]
mitre-attack C0032Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.