S0159: SNUGRIDE
Analyst context for executives and security teams
SNUGRIDE matters because ATT&CK identifies it as a Windows backdoor used as first-stage malware by menuPass. For leaders, the decision value is not the malware name itself, but whether the organization can quickly prove visibility into the behaviors ATT&CK links to it: Windows command execution, persistence through Run keys or Startup folders, web-protocol command-and-control, and encrypted C2 content.
Executive priority
Treat SNUGRIDE as a validation case for Windows endpoint readiness and SOC evidence quality. Executives should ask whether teams can reconstruct a first-stage backdoor event from endpoint, registry, process, and network telemetry; whether persistence changes are monitored well enough for audit and incident response; and whether encrypted or web-like outbound traffic is reviewed using metadata and destination context rather than content inspection alone.
Technical view
ATT&CK provides no dedicated detection text for SNUGRIDE, so defenders should validate coverage through the related behaviors: T1059.003 Windows Command Shell, T1547.001 Registry Run Keys / Startup Folder, T1071.001 Web Protocols, and T1573.001 Symmetric Cryptography. SOC and IR teams should confirm they can correlate suspicious cmd.exe execution, new or modified Run key/startup persistence, and outbound web-protocol sessions that may carry encrypted command-and-control traffic. Because this is described as first-stage malware, triage should prioritize early execution, persistence establishment, and initial C2 evidence on Windows hosts.
Likely telemetry
- Windows process creation events, especially command shell execution and parent-child process context
- Windows Registry monitoring for Run key creation or modification
- Startup folder file creation or modification events
- Endpoint file, service, and user logon context around persistence execution
- Network connection metadata for outbound HTTP/S or other web-protocol traffic
Detection direction
- Do not rely on a SNUGRIDE-specific signature alone; validate behavioral detections mapped to the related ATT&CK techniques.
- Tune Windows command shell analytics for suspicious parent processes, unusual execution context, and command execution near persistence changes.
- Monitor Run keys and Startup folders for newly added or modified entries, with allowlisting for known administrative and software-update activity.
- Review outbound web-protocol traffic using metadata, destination reputation, session patterns, and endpoint process correlation, since symmetric encryption may limit payload visibility.
- Use the menuPass relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Prioritize reliable endpoint logging and retention for Windows process, registry, startup-folder, and network-connection activity.
- Harden and monitor autorun locations such as Registry Run keys and Startup folders, limiting unnecessary user write paths where operationally feasible.
- Apply least privilege so persistence created in a user context has reduced operational reach.
- Control and monitor outbound web access through proxy, DNS, firewall, and TLS metadata policies appropriate to the environment.
- Prepare IR playbooks that collect persistence artifacts, command execution history, and network indicators from suspected Windows hosts.
Analyst notes and limits
The supplied ATT&CK object describes SNUGRIDE as a Windows backdoor and first-stage malware used by menuPass, with relationships to command shell execution, web-protocol C2, Registry Run key/Startup folder persistence, and symmetric cryptography. This take therefore focuses on defensive validation around those behaviors rather than malware-specific internals.
ATT&CK provides no official detection guidance, no aliases, and no object-level tactics for SNUGRIDE in the supplied fields. The relationship data supports behavioral coverage planning, but local telemetry, baselines, and incident evidence are required before making claims about compromise, attribution, or detection coverage.
SNUGRIDE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | SNUGRIDE communicates with its C2 server over HTTP.CitationFireEye APT10 April 2017 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SNUGRIDE establishes persistence through a Registry Run key.CitationFireEye APT10 April 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SNUGRIDE is capable of executing commands and spawning a reverse shell.CitationFireEye APT10 April 2017 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | SNUGRIDE encrypts C2 traffic using AES with a static key.CitationFireEye APT10 April 2017 |
Groups, software, and campaigns
G0045: menuPass
menuPass is a threat group that has been active since at least 2006. Individual members of menuPass are known to have acted in association with the Chinese Ministry of State Security's (MSS) Tianjin State Security Bureau and worked for the Huaying Haitai Science and Technology Development Company.[1][2]
menuPass has targeted healthcare, defense, aerospace, finance, maritime, biotechnology, energy, and government sectors globally, with an emphasis on Japanese organizations. In 2016 and 2017, the group is known to have targeted managed IT service providers (MSPs), manufacturing and mining companies, and a university.[3][4][5][6][7][1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | dba3e74c1797… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT10 April 2017
FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017.
Open source URL -
[2]
SNUGRIDE
(Citation: FireEye APT10 April 2017)
-
[3]
mitre-attack S0159Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.