Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0088: Kasidet

Kasidet is a backdoor that has been dropped by using malicious VBA macros. [1]

EnterpriseS0088MalwareObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Kasidet matters because ATT&CK describes it as a Windows backdoor dropped through malicious VBA macros, with related behaviors that include credential collection through keylogging, screen capture, host discovery, command shell execution, tool transfer, persistence through Run keys/startup folders, security software discovery, and firewall modification. For leaders, this is less about one malware name and more about validating whether the organization can see and contain a macro-delivered backdoor that may collect sensitive data, learn the environment, persist, and weaken defenses.

Executive priority

Prioritize Kasidet as a test case for endpoint visibility, Office macro risk management, credential exposure response, and Windows persistence monitoring. The key business questions are: can the SOC prove it collects the evidence needed to investigate macro-delivered malware; can incident responders quickly identify captured credentials or exposed user activity; and can control owners show audit-ready evidence that startup persistence, command shell abuse, firewall changes, and security tool discovery are monitored or restricted where appropriate?

Technical view

ATT&CK provides no official detection text for Kasidet, so defenders should build validation around the supplied Windows platform and the related techniques: T1056.001 Keylogging, T1057 Process Discovery, T1059.003 Windows Command Shell, T1082 System Information Discovery, T1083 File and Directory Discovery, T1105 Ingress Tool Transfer, T1113 Screen Capture, T1518.001 Security Software Discovery, T1547.001 Registry Run Keys / Startup Folder, and T1686 Disable or Modify System Firewall. SOC and IR teams should confirm they can correlate suspicious Office/VBA-originated execution with child process activity, discovery commands, downloaded files, registry or startup-folder persistence, screen or keyboard collection indicators, security product enumeration, and firewall policy changes on Windows endpoints.

Likely telemetry

  • Endpoint process creation and parent-child process relationships, especially Office applications spawning command shells or other utilities
  • Windows command-line arguments and script or shell execution records
  • Office document and VBA macro execution events where available
  • Registry modification events for Run keys and other startup persistence locations
  • Startup folder file creation or modification events

Detection direction

  • Because ATT&CK lists no official Kasidet detection, validate behavior-based detections rather than relying on malware-name matching.
  • Correlate macro-enabled Office activity with child process execution, especially Windows Command Shell use and subsequent discovery or file-transfer behavior.
  • Tune discovery detections to reduce noise from administrators and management tools by using parent process, user context, endpoint role, command sequence, and timing.
  • Monitor Run key and startup-folder changes with attention to unusual file paths, recently created binaries, and user-context persistence.
  • Review firewall modification alerts for unauthorized rule changes or disabling behavior, especially when preceded by discovery, tool transfer, or command shell activity.

Mitigation priorities

  • Reduce macro-delivered malware risk through controlled handling of Office macros, user awareness, and attachment/document execution governance appropriate to business needs.
  • Harden Windows endpoints to restrict unnecessary command shell abuse and unauthorized script or process execution.
  • Limit user privileges so persistence, firewall modification, and security tool tampering require stronger authorization boundaries.
  • Protect and monitor Registry Run keys and startup folders as high-priority persistence locations.
  • Ensure endpoint protection, logging, and firewall policies are centrally managed and generate evidence when modified.
Analyst notes and limits

The strongest decision value comes from the relationships rather than the malware description alone. Kasidet is officially described only as a backdoor dropped using malicious VBA macros, but the ATT&CK relationships provide practical validation points across collection, credential access, discovery, execution, command and control, persistence, privilege escalation, and defense impairment. Treat this as a coverage-assessment object for Windows endpoint and Office macro telemetry, not as evidence of current activity in any specific environment.

The supplied ATT&CK object has no official detection guidance, no aliases, no tactics listed on the malware object itself, and only one non-MITRE external reference. Several related technique descriptions are truncated in the supplied data, and local environment baselines are required to distinguish malicious discovery, command shell use, downloads, and firewall changes from legitimate administration. This take does not assert active exploitation, attribution, impact, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Kasidet

Kasidet is a backdoor that has been dropped by using malicious VBA macros. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1059.003 Windows Command Shell Sub-technique

Kasidet can execute commands using cmd.exe.CitationZscaler Kasidet
Enterprise T1082 System Information Discovery

Kasidet has the ability to obtain a victim's system name and operating system version.CitationZscaler Kasidet
Enterprise T1057 Process Discovery

Kasidet has the ability to search for a given process name in processes currently running in the system.CitationZscaler Kasidet
Enterprise T1686 Disable or Modify System Firewall

Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded.CitationZscaler Kasidet
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

Kasidet creates a Registry Run key to establish persistence.CitationZscaler KasidetCitationMicrosoft Kasidet
Enterprise T1518.001 Security Software Discovery Sub-technique

Kasidet has the ability to identify any anti-virus installed on the infected system.CitationZscaler Kasidet
Enterprise T1113 Screen Capture

Kasidet has the ability to initiate keylogging and screen captures.CitationZscaler Kasidet
Enterprise T1105 Ingress Tool Transfer

Kasidet has the ability to download and execute additional files.CitationZscaler Kasidet
Enterprise T1083 File and Directory Discovery

Kasidet has the ability to search for a given filename on a victim.CitationZscaler Kasidet
Enterprise T1056.001 Keylogging Sub-technique

Kasidet has the ability to initiate keylogging.CitationZscaler Kasidet
Relationship explorer

All related ATT&CK context

uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1057: Process Discovery Enterprise uses · Technique T1686: Disable or Modify System Firewall Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1518.001: Security Software Discovery Enterprise uses · Technique T1113: Screen Capture Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1083: File and Directory Discovery Enterprise uses · Technique T1056.001: Keylogging Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
5d91c22a407c2f13...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 5d91c22a407c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Zscaler Kasidet

    Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016.

    Open source URL
  2. [2]
    mitre-attack S0088
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use