S0170: Helminth
Analyst context for executives and security teams
Helminth matters because ATT&CK describes it as a Windows backdoor with both macro-delivered VBScript/PowerShell and standalone executable variants. For leaders, the practical issue is not just one malware family: it represents a pattern where office-document execution, Windows scripting, persistence, credential collection, local discovery, data staging, and web/DNS command-and-control can combine into a longer-running intrusion.
Executive priority
Prioritize Helminth as a coverage validation use case for Windows endpoint resilience, macro/script governance, persistence monitoring, and egress visibility. ATT&CK also links Helminth to OilRig, a group described as targeting sectors including financial, government, energy, chemical, and telecommunications and using trust relationships in supply chain attacks; this should drive questions about third-party access, incident response readiness, and whether audit evidence proves monitoring across endpoint, identity, and network layers.
Technical view
SOC and IR teams should validate detections around the supplied Windows behaviors: Excel macro execution leading to VBScript or PowerShell, command shell activity, scheduled tasks, Run key/startup folder persistence, shortcut modification, process and group discovery, keylogging/clipboard collection indicators, local data staging, tool transfer, and encoded/encrypted web or DNS command-and-control. No official ATT&CK detection text is provided for Helminth, so coverage should be built from the related techniques rather than malware-name matching alone.
Likely telemetry
- Windows process creation telemetry, including parent-child relationships from Excel to script interpreters, PowerShell, cmd, or executables
- PowerShell script block, module, and command-line logging where enabled
- Windows scheduled task creation/modification events
- Registry Run key and startup folder change events
- Shortcut file creation or modification in startup locations
Detection direction
- Do not rely only on Helminth signatures; validate behavior-based detections mapped to the ATT&CK relationships.
- Tune for Office-to-script execution chains, especially Excel spawning VBScript, PowerShell, cmd, or unknown executables, while accounting for legitimate administrative macros.
- Correlate persistence changes with nearby script execution, new binaries, command shell activity, or outbound network connections.
- Review web and DNS egress detections for encoded, encrypted, or unusual beacon-like traffic, recognizing that web/DNS protocols are common and can generate false positives without endpoint context.
- Correlate collection behaviors such as keylogging, clipboard access, automated collection, and local staging with subsequent transfer or exfiltration-size-limit patterns.
Mitigation priorities
- Reduce macro and script execution risk on Windows endpoints, especially for Excel-delivered content.
- Harden and monitor PowerShell, Windows Command Shell, VBScript, scheduled tasks, Run keys, startup folders, and shortcut-based startup locations.
- Apply least privilege and review local/domain group exposure so discovery of privileged groups is less useful to an intruder.
- Strengthen egress controls and monitoring for HTTP/S and DNS command-and-control, including encoded or encrypted traffic where feasible.
- Ensure endpoint controls collect enough process, registry, file, script, and network context to support incident response reconstruction.
Analyst notes and limits
The object’s own ATT&CK tactics are not specified, but many technique relationships are supplied and provide practical detection and mitigation direction. The official description supports Windows, Excel macro delivery, VBScript, PowerShell, and standalone executable variants. The OilRig relationship provides context for prioritization, but local evidence is required before making attribution or exposure claims.
Official Helminth detection guidance is not provided in the supplied ATT&CK fields. The supplied source is a 2016 Palo Alto Networks reference plus ATT&CK relationships; this take does not assert current exploitation, prevalence, customer exposure, or guaranteed detection. Environment-specific logging, control configuration, and business process context are required to determine real coverage.
Helminth
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Helminth has used a scheduled task for persistence.CitationClearSky OilRig Jan 2017 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.CitationClearSky OilRig Jan 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | The Helminth config file is encrypted with RC4.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Helminth establishes persistence by creating a shortcut in the Start Menu folder.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Helminth encrypts data sent to its C2 server over HTTP with RC4.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | Helminth establishes persistence by creating a shortcut.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1071.004 | DNS Sub-technique | Helminth can use DNS for C2.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Helminth can use HTTP for C2.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1059.001 | PowerShell Sub-technique | One version of Helminth uses a PowerShell script.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | One version of Helminth consists of VBScript scripts.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1056.001 | Keylogging Sub-technique | The executable version of Helminth has a module to log keystrokes.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1105 | Ingress Tool Transfer | Helminth can download additional files.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1115 | Clipboard Data | The executable version of Helminth has a module to log clipboard contents.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1069.001 | Local Groups Sub-technique | Helminth has checked the local administrators group.CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands |
| Enterprise | T1119 | Automated Collection | A Helminth VBScript receives a batch script to execute a set of commands in a command prompt.CitationPalo Alto OilRig May 2016 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1030 | Data Transfer Size Limits | Helminth splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server.CitationPalo Alto OilRig May 2016 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a128767e59c8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto OilRig May 2016
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
Open source URL -
[2]
Helminth
(Citation: Palo Alto OilRig May 2016)
-
[3]
mitre-attack S0170Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.