S0038: Duqu
Analyst context for executives and security teams
Duqu matters because ATT&CK describes it as a Windows malware platform built to extend its capabilities after deployment. That modularity changes the defensive question from “can we find one binary?” to “can we see post-compromise behavior as functionality is added?” The linked ATT&CK relationships show behaviors across discovery, persistence, credential collection, lateral movement, command-and-control concealment, local data staging, and collection of operational or repository data, including ICS-context information. For leaders, the practical risk is loss of visibility during a long-running intrusion where sensitive operational knowledge may be gathered before obvious disruption occurs.
Executive priority
Prioritize Duqu as a validation case for resilience against modular, stealthy intrusions on Windows environments and for environments where corporate systems may contain operational, engineering, or ICS-relevant information. Executives should ask whether SOC, identity, endpoint, network, and incident response teams can correlate suspicious Windows persistence, account abuse, SMB movement, process injection, encrypted or tunneled C2, and staged data collection into a single investigation. This is also useful for audit and compliance evidence: it tests whether controls protect sensitive repositories and operational information, not just whether malware signatures exist.
Technical view
ATT&CK provides no official detection text for Duqu, so defenders should build coverage from the related techniques. Validate telemetry and analytics for Windows scheduled tasks and services, msiexec abuse, DLL injection and process hollowing, access token manipulation, local account and process discovery, application window discovery, network configuration and connection discovery, SMB admin share use, valid account activity, keylogging indicators where available, local data staging, custom archiving, application-layer C2, internal proxying, protocol tunneling, symmetric encryption, and steganography-like file or traffic patterns. Because related ICS techniques include Data from Information Repositories, Data from Local System, and Theft of Operational Information, IR playbooks should include checks for access to engineering documents, diagrams, configuration files, local databases, and other operational artifacts when those assets exist in the environment.
Likely telemetry
- Windows endpoint process creation, parent-child process lineage, command-line, module load, and memory/injection-related events
- Windows service creation/modification and scheduled task registration/execution events
- Authentication, logon, token/use context, local account enumeration, and valid account activity logs
- SMB/admin share access, file share activity, and lateral movement evidence
- Network connection metadata, application-layer protocol logs, proxy/firewall/DNS telemetry, and indications of tunneling or encrypted C2 patterns
Detection direction
- Correlate behaviors instead of relying on a single malware indicator, because the official description emphasizes a modular platform and no official ATT&CK detection guidance is supplied.
- Tune Windows persistence detections for scheduled tasks and service changes against known administrative baselines to reduce false positives.
- Review msiexec execution for unusual local or network-sourced packages or DLL execution patterns, while accounting for legitimate software installation activity.
- Hunt for process injection and process hollowing signals where endpoint telemetry supports memory or module-level visibility; note that many environments have blind spots here.
- Correlate valid account use, SMB/admin share access, and discovery commands with unusual source hosts, times, or account roles.
Mitigation priorities
- Start with asset and data mapping: identify Windows systems and repositories that hold sensitive operational, engineering, configuration, or ICS-relevant information.
- Harden identity controls around accounts that can access file shares, admin shares, repositories, and operational data; review least privilege and monitoring for valid account abuse.
- Restrict and monitor administrative mechanisms commonly abused for persistence or lateral movement, including Windows services, scheduled tasks, SMB/admin shares, and msiexec usage.
- Ensure endpoint controls and logging can observe process lineage, service/task changes, suspicious module loading, and injection-like behavior where feasible.
- Segment and monitor access paths between corporate Windows systems and repositories containing operational or ICS-related information.
Analyst notes and limits
This take is based on the supplied ATT&CK software object S0038 and its listed relationships. The object itself has Windows as its platform and describes Duqu as a modular malware platform. The relationship context expands the defensive scope into enterprise and ICS techniques, including collection of operational information, but ATT&CK tactics are not specified on the Duqu object itself.
MITRE supplied no official detection text, no aliases, and no tactics for the malware object in the provided fields. The related technique descriptions are generic ATT&CK technique context, not proof that every behavior will appear in every Duqu incident. Local baselines, asset inventory, repository locations, and available telemetry are required to determine actual exposure and detection coverage.
Duqu
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1056.001 | Keylogging Sub-technique | Duqu can track key presses with a keylogger module.CitationSymantec W32.Duqu |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.CitationSymantec W32.Duqu |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Duqu can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access.CitationSymantec W32.Duqu |
| Enterprise | T1218.007 | Msiexec Sub-technique | Duqu has used |
| Enterprise | T1087.001 | Local Account Sub-technique | The discovery modules used with Duqu can collect information on accounts and permissions.CitationSymantec W32.Duqu |
| Enterprise | T1057 | Process Discovery | The discovery modules used with Duqu can collect information on process details.CitationSymantec W32.Duqu |
| Enterprise | T1078 | Valid Accounts | Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.CitationSymantec W32.Duqu |
| Enterprise | T1543.003 | Windows Service Sub-technique | Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key.CitationSymantec W32.Duqu |
| Enterprise | T1572 | Protocol Tunneling | Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.CitationSymantec W32.Duqu |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Modules can be pushed to and executed by Duqu that copy data to a staging area, compress it, and XOR encrypt it.CitationSymantec W32.Duqu |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).CitationSymantec W32.Duqu |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | The Duqu command and control protocol's data stream can be encrypted with AES-CBC.CitationSymantec W32.Duqu |
| Enterprise | T1071 | Application Layer Protocol | Duqu uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols.CitationSymantec W32.Duqu |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.CitationSymantec W32.Duqu |
| Enterprise | T1049 | System Network Connections Discovery | The discovery modules used with Duqu can collect information on network connections.CitationSymantec W32.Duqu |
| Enterprise | T1134 | Access Token Manipulation | Duqu examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges.CitationKaspersky Duqu 2.0 |
| Enterprise | T1010 | Application Window Discovery | The discovery modules used with Duqu can collect information on open windows.CitationSymantec W32.Duqu |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.CitationSymantec W32.Duqu |
| Enterprise | T1001.002 | Steganography Sub-technique | When the Duqu command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file.CitationSymantec W32.Duqu |
| Enterprise | T1016 | System Network Configuration Discovery | The reconnaissance modules used with Duqu can collect information on network configuration.CitationSymantec W32.Duqu |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Duqu is capable of loading executable code via process hollowing.CitationSymantec W32.Duqu |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | c92e08328985… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec W32.Duqu
Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015.
Open source URL -
[2]
mitre-attack S0038Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.