S0185: SEASHARPEE
SEASHARPEE is a Web shell that has been used by OilRig. [1]
Analyst context for executives and security teams
SEASHARPEE matters because it represents web-shell based access on Windows web infrastructure: a small server-side foothold can become a durable gateway for command execution, file transfer, and further response complications. The ATT&CK record is sparse, but the relationships show defenders should treat this as a web server persistence and post-compromise validation problem, not just a malware-name matching exercise.
Executive priority
Prioritize confirming whether internet-facing or business-critical Windows web servers have sufficient logging, file integrity visibility, and incident response playbooks for web shell scenarios. This behavior can affect operational resilience because compromised web servers may provide persistent access and a path for additional tooling. For audit and risk owners, the key question is whether the organization can produce evidence of web server change monitoring, command execution review, and investigation readiness for suspicious web-accessible scripts.
Technical view
ATT&CK identifies SEASHARPEE as a Windows web shell used by OilRig and relates it to Web Shell persistence, Windows Command Shell execution, Ingress Tool Transfer, and Timestomp. SOC and IR teams should validate visibility across web server content changes, web request logs, process creation from web service contexts, suspicious command shell use, externally sourced file writes, and file timestamp anomalies. Because no official ATT&CK detection text is provided, detections should be built around the related techniques and local web stack baselines rather than relying on this malware name alone.
Likely telemetry
- Windows web server access logs and error logs
- File creation, modification, and deletion events in web-accessible directories
- File integrity monitoring for web roots and application directories
- Windows process creation telemetry, especially command shell activity spawned by web service processes
- Network telemetry showing inbound web requests and outbound connections or downloads from web servers
Detection direction
- Validate alerts for new or modified scripts in web-accessible paths, especially where changes are not tied to approved deployment activity.
- Tune for command shell execution initiated by web server or application pool service accounts, while accounting for legitimate administrative scripts and deployment tooling.
- Review web request patterns that interact with unusual or newly created server-side files; avoid relying only on known filenames or signatures.
- Correlate suspicious file writes with outbound transfer activity from the same server to support Ingress Tool Transfer hypotheses.
- Include timestamp anomaly review in triage, since the related Timestomp technique indicates file times may be manipulated to blend with existing content.
Mitigation priorities
- Inventory and prioritize monitoring for internet-facing and high-value Windows web servers.
- Restrict and review write permissions to web roots and application directories, especially for service accounts and deployment paths.
- Maintain approved deployment baselines so unauthorized web-accessible files can be identified quickly.
- Harden logging for web server activity, process creation, file changes, and network egress from web servers.
- Prepare IR procedures for web shell containment, including server isolation decisions, file timeline preservation, credential review, and validation of adjacent systems.
Analyst notes and limits
The strongest decision value comes from the ATT&CK relationships: SEASHARPEE is described as a web shell, and related techniques point to persistence through Web Shell, execution through Windows Command Shell, tool transfer, and timestamp manipulation. This supports a defensive focus on web server integrity, command execution from web contexts, and timeline-based investigation. The OilRig relationship is relevant for threat intelligence enrichment but should not be used by itself to attribute activity.
The official ATT&CK object does not provide detection guidance, aliases, labels, or malware-level tactics. The malware platform is Windows, while some related techniques list additional platforms; this take does not extend SEASHARPEE beyond Windows. Local web technology, logging depth, deployment practices, and endpoint telemetry availability are required to determine actual exposure or coverage.
SEASHARPEE
SEASHARPEE is a Web shell that has been used by OilRig. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | SEASHARPEE can download remote files onto victims.CitationFireEye APT34 Webinar Dec 2017 |
| Enterprise | T1070.006 | Timestomp Sub-technique | SEASHARPEE can timestomp files on victims using a Web shell.CitationFireEye APT34 Webinar Dec 2017 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SEASHARPEE can execute commands on victims.CitationFireEye APT34 Webinar Dec 2017 |
| Enterprise | T1505.003 | Web Shell Sub-technique | SEASHARPEE is a Web shell.CitationFireEye APT34 Webinar Dec 2017 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 91f8936c079f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT34 Webinar Dec 2017
Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017.
Open source URL -
[2]
SEASHARPEE
(Citation: FireEye APT34 Webinar Dec 2017)
-
[3]
mitre-attack S0185Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.