S0254: PLAINTEE
Analyst context for executives and security teams
PLAINTEE is a Windows malware sample associated in ATT&CK with Rancor, a group described as conducting targeted campaigns in Southeast Asia. Its value for defenders is less about a single malware name and more about the behaviors ATT&CK links to it: host discovery, command shell execution, registry modification, persistence through run keys or startup locations, UAC bypass, tool transfer, and encrypted command-and-control. For leaders, this is a useful test case for whether Windows endpoint visibility and response playbooks can catch a targeted intrusion after initial access, before persistence and follow-on tooling become durable.
Executive priority
Prioritize this as a resilience and readiness question: can the organization prove it collects enough Windows endpoint, registry, privilege-elevation, and outbound network evidence to investigate a targeted malware intrusion? Organizations with operations, partners, or executive exposure connected to Southeast Asia may find the Rancor context more relevant, but ATT&CK does not provide evidence here of current activity or direct exposure. The business decision is whether SOC, IR, and audit teams can demonstrate control coverage for discovery, persistence, privilege escalation, ingress tool transfer, and encrypted C2 behaviors rather than relying on malware-family signatures alone.
Technical view
ATT&CK provides no official detection text for PLAINTEE, so coverage should be validated through the related techniques. On Windows systems, detection engineering should test visibility for cmd.exe execution, process and system/network discovery activity, file ingress from external systems, Registry modification, Registry Run Key or Startup Folder persistence, UAC bypass indicators, and encrypted or otherwise opaque outbound C2-like traffic. IR teams should treat any confirmed PLAINTEE-like activity as requiring host triage for persistence locations, recently transferred tools, process lineage, user privilege context, and outbound communications. The Rancor relationship adds context for targeted campaigns and malicious-document lure tradecraft, but the supplied object does not provide full initial-access details.
Likely telemetry
- Windows endpoint process creation events with command line, parent/child process lineage, user context, and integrity level where available
- Command shell activity, especially cmd.exe execution tied to discovery, staging, or persistence actions
- Registry auditing or EDR telemetry for Run Keys, startup locations, and other Registry modifications
- Privilege-elevation and UAC-related events, including elevated process creation and changes in execution context
- File creation, download, quarantine, and transfer telemetry for tools or payloads introduced after compromise
Detection direction
- Do not depend only on a PLAINTEE malware signature; validate behavior-based detections mapped to T1059.003, T1112, T1547.001, T1548.002, T1105, T1573.001, T1016, T1057, and T1082.
- Tune Windows command-shell detections around suspicious parent processes, unusual user context, discovery command clusters, and command execution followed by Registry or network activity.
- Monitor Registry Run Key and Startup Folder changes with allowlisting for legitimate software installers and administrative tools to reduce false positives.
- Correlate UAC bypass-relevant privilege changes with suspicious process lineage and subsequent persistence or tool-transfer behavior rather than alerting on elevation alone.
- Review outbound network monitoring for encrypted or opaque sessions from unusual processes, rare destinations, or endpoints that also show discovery and persistence activity.
Mitigation priorities
- Reduce local administrator exposure and enforce least privilege so UAC bypass and Registry persistence have less operational value.
- Harden and monitor Windows persistence locations, especially Registry Run Keys and Startup Folders, with change control and alerting.
- Use application control or execution policy controls where feasible to limit unauthorized scripts, tools, and command-shell abuse.
- Maintain endpoint protection and EDR coverage on Windows systems with process, Registry, file, and network telemetry enabled.
- Apply egress filtering, proxy inspection policies, and DNS/network logging to make command-and-control and ingress tool transfer more observable.
Analyst notes and limits
The supplied ATT&CK object identifies PLAINTEE as Windows malware used by Rancor in targeted attacks in Singapore and Cambodia and links it to discovery, execution, persistence, privilege escalation, command-and-control, and defense-impairment-related techniques. The most defensible Glexia takeaway is to use PLAINTEE as a control-validation scenario for targeted Windows intrusion behavior rather than as a standalone indicator list.
ATT&CK provides no official detection guidance, aliases, labels, or tactic list directly on the malware object. The relationship descriptions summarize techniques but do not provide concrete indicators, procedures, hashes, infrastructure, or current activity. Local telemetry, asset criticality, geography, and incident evidence are required to determine relevance and exposure.
PLAINTEE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1082 | System Information Discovery | PLAINTEE collects general system enumeration data about the infected machine and checks the OS version.CitationRancor Unit42 June 2018 |
| Enterprise | T1112 | Modify Registry | PLAINTEE uses |
| Enterprise | T1016 | System Network Configuration Discovery | PLAINTEE uses the |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | An older variant of PLAINTEE performs UAC bypass.CitationRancor Unit42 June 2018 |
| Enterprise | T1057 | Process Discovery | PLAINTEE performs the |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | PLAINTEE gains persistence by adding the Registry key |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | PLAINTEE encodes C2 beacons using XOR.CitationRancor Unit42 June 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | PLAINTEE uses cmd.exe to execute commands on the victim’s machine.CitationRancor Unit42 June 2018 |
| Enterprise | T1105 | Ingress Tool Transfer | PLAINTEE has downloaded and executed additional plugins.CitationRancor Unit42 June 2018 |
Groups, software, and campaigns
G0075: Rancor
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f60c536c6cb9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Rancor Unit42 June 2018
Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018.
Open source URL -
[2]
PLAINTEE
(Citation: Rancor Unit42 June 2018)
-
[3]
mitre-attack S0254Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.