S0129: AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
Analyst context for executives and security teams
AutoIt backdoor matters because it blends malicious backdoor behavior with a legitimate Windows automation scripting language. The ATT&CK record ties it to weaponized PowerPoint slideshow files exploiting CVE-2014-6352 and to use by multiple named groups, so leaders should treat it as a Windows endpoint, Office-document exposure, and scripting-control problem rather than only a malware-signature problem.
Executive priority
Prioritize validation of Windows endpoint visibility, legacy Office vulnerability exposure, and controls over script interpreters and PowerShell. For risk owners, the key decision is whether the organization can prove it would see suspicious document execution, follow-on PowerShell use, file discovery, UAC bypass attempts, and encoded command-and-control activity. This is also useful audit evidence for vulnerability management, endpoint monitoring, least privilege, and incident response readiness.
Technical view
ATT&CK lists the malware platform as Windows and relates it to PowerShell execution, file and directory discovery, standard encoding for command and control, and UAC bypass. SOC and IR teams should validate detection around the infection chain described in the source: weaponized .pps files associated with CVE-2014-6352, AutoIt-based execution, child-process activity from Office, PowerShell invocation, filesystem enumeration, privilege elevation behavior, and outbound traffic that may use standard encodings. MITRE does not provide a detection section for this object, so coverage must be built from the related techniques and local telemetry.
Likely telemetry
- Windows endpoint process creation with command line and parent/child process relationships
- Office/PowerPoint file execution events, especially .pps handling and child processes
- PowerShell operational logs, script block/module logging where enabled, and command-line telemetry
- File system access or enumeration events from endpoint detection tooling
- Windows privilege elevation, integrity level, and UAC-related events
Detection direction
- Validate whether Office-spawned scripting, AutoIt execution, and PowerShell activity are visible and correlated at the endpoint.
- Tune detections around suspicious parent-child chains, such as Office documents launching interpreters or command shells, while accounting for legitimate automation use.
- Use the related techniques to build behavioral coverage: PowerShell execution, file/directory discovery, encoded C2 traffic, and UAC bypass indicators.
- Review false positives from administrative scripts and automation tools; the presence of AutoIt alone is not necessarily malicious because AutoIt is legitimate software.
- Confirm network detections do not rely only on cleartext payload matching, because the related technique includes standard encoding of C2 content.
Mitigation priorities
- Inventory and remediate systems exposed to the CVE-2014-6352-related Office attack path described by ATT&CK’s source material.
- Harden Office document handling and restrict risky document-originated child processes where operationally feasible.
- Apply least privilege and monitor local administrator usage; do not depend on UAC prompts alone as a security boundary.
- Control and monitor scripting environments, including PowerShell and AutoIt, using approved-use policies and endpoint enforcement appropriate to the business.
- Ensure IR playbooks include containment and scoping steps for Windows scripting malware, suspicious Office launch chains, and possible encoded outbound communications.
Analyst notes and limits
The object is associated in ATT&CK relationships with Patchwork and APT33, and the description references actors responsible for the MONSOON campaign. Use those relationships for threat intelligence context, not as proof of current targeting or attribution in any local incident. The most defensible detection approach is behavior-based and relationship-driven because the object itself has no official MITRE detection text.
Official ATT&CK detection guidance is not provided for S0129. The supplied object does not define specific commands, indicators, persistence mechanisms, or active exploitation status. Local conclusions require endpoint, network, vulnerability, and incident evidence from the environment.
AutoIt backdoor
AutoIt backdoor is malware that has been used by the actors responsible for the MONSOON campaign. The actors frequently used it in weaponized .pps files exploiting CVE-2014-6352. [1] This malware makes use of the legitimate scripting language for Windows GUI automation with the same name.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | AutoIt backdoor is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg.CitationForcepoint Monsoon |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.CitationForcepoint Monsoon |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | AutoIt backdoor has sent a C2 response that was base64-encoded.CitationForcepoint Monsoon |
| Enterprise | T1059.001 | PowerShell Sub-technique | AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.CitationForcepoint Monsoon |
Groups, software, and campaigns
G0064: APT33
G0040: Patchwork
Patchwork is a cyber espionage group that was first observed in December 2015. While the group has not been definitively attributed, circumstantial evidence suggests the group may be a pro-Indian or Indian entity. Patchwork has been seen targeting industries related to diplomatic and government agencies. Much of the code used by this group was copied and pasted from online forums. Patchwork was also seen operating spearphishing campaigns targeting U.S. think tank groups in March and April of 2018.[1] [2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 3e31ec287c96… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Forcepoint Monsoon
Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016.
Open source URL -
[2]
mitre-attack S0129Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.