S0269: QUADAGENT
Analyst context for executives and security teams
QUADAGENT matters because it is a Windows PowerShell backdoor associated in ATT&CK with OilRig, and its mapped behaviors span execution, persistence, discovery, stealth, and command-and-control. For leaders, the decision value is less about this single malware name and more about whether the organization can see and contain PowerShell-driven intrusions that use scheduled tasks, registry activity, obfuscation, fileless storage, and web or DNS-based communications.
Executive priority
Prioritize this as a control-validation and readiness issue for Windows endpoint visibility, PowerShell governance, and outbound C2 monitoring. The relationship to OilRig, a group described by ATT&CK as targeting sectors including financial, government, energy, chemical, and telecommunications and using trust relationships in supply-chain-style activity, makes it relevant to operational resilience, third-party risk discussions, and incident response preparedness. Executives should ask whether SOC evidence can prove coverage for PowerShell execution, scheduled task persistence, registry changes, and suspicious DNS/HTTP traffic, rather than relying on malware signatures alone.
Technical view
ATT&CK does not provide a dedicated detection section for QUADAGENT, so defenders should validate coverage through the related techniques. On Windows, focus on PowerShell and command shell execution, Visual Basic execution, scheduled task creation or modification, registry query and modification, file deletion, command obfuscation, standard encoding, deobfuscation activity, fileless storage patterns, and C2 over web protocols, DNS, and fallback channels. Detection engineering should correlate host process/script telemetry with network egress behavior and persistence artifacts, because the mapped behavior suggests a backdoor that may blend administrative scripting with stealth and resilient communications.
Likely telemetry
- Windows process creation events for PowerShell, cmd.exe, Visual Basic/script hosts, schtasks, and registry utilities
- PowerShell script block, module, transcription, and command-line logging where enabled
- Windows Scheduled Task creation, modification, and execution logs
- Windows Registry access and modification telemetry, especially persistence-relevant keys and unusual query patterns
- Endpoint detection telemetry for file creation, deletion, encoded commands, obfuscated commands, and decode/deobfuscation utilities
Detection direction
- Validate behavior-based detections for PowerShell abuse rather than relying only on known QUADAGENT indicators.
- Correlate scheduled task activity with nearby PowerShell, command shell, registry modification, and outbound network connections.
- Tune for command obfuscation and standard encoding patterns, while accounting for legitimate administration scripts that may also use encoding or automation.
- Review DNS and web egress analytics for unusual destinations, fallback behavior, rare domains, abnormal request patterns, or encoded payload-like content, subject to local baseline.
- Hunt for registry query and modification sequences paired with fileless storage or persistence behavior.
Mitigation priorities
- Establish or validate PowerShell logging and constrained administrative use before relying on detections that require script visibility.
- Harden Windows persistence surfaces by monitoring and controlling scheduled task creation and sensitive Registry modification.
- Apply least privilege so routine users cannot create durable persistence or modify protected Registry locations unnecessarily.
- Restrict and monitor outbound DNS and web traffic through controlled resolvers, proxies, and egress points where feasible.
- Maintain endpoint visibility capable of capturing process, script, registry, scheduled task, and network context together.
Analyst notes and limits
The supplied ATT&CK object identifies QUADAGENT as a PowerShell backdoor used by OilRig and maps it to multiple techniques relevant to Windows execution, discovery, persistence, defense evasion, and command-and-control. The strongest defensive use is to test whether existing SOC and IR capabilities can detect the behaviors represented by those relationships. Local baselines are essential because PowerShell, scheduled tasks, registry access, DNS, and HTTP/S are common in normal administration.
ATT&CK provides no official detection text for this malware object, no aliases, and no object-level tactics. This take is derived from the official description, Windows platform field, external references, and the listed relationship mappings only. It does not assert current exploitation, customer exposure, guaranteed detection, or incident attribution.
QUADAGENT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.004 | DNS Sub-technique | QUADAGENT uses DNS for C2 communications.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | QUADAGENT uses HTTPS and HTTP for C2 communications.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | QUADAGENT encodes C2 communications with base64.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | QUADAGENT uses VBScripts.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1016 | System Network Configuration Discovery | QUADAGENT gathers the current domain the victim system belongs to.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | QUADAGENT was likely obfuscated using `Invoke-Obfuscation`.CitationUnit 42 QUADAGENT July 2018CitationGitHub Invoke-Obfuscation |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | QUADAGENT used the PowerShell filenames |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as `HKCU\Office365DCOMCheck`) in the `HKCU` hive.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1070.004 | File Deletion Sub-technique | QUADAGENT has a command to delete its Registry key and scheduled task.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1012 | Query Registry | QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1059.001 | PowerShell Sub-technique | QUADAGENT uses PowerShell scripts for execution.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1008 | Fallback Channels | QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1112 | Modify Registry | QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1033 | System Owner/User Discovery | QUADAGENT gathers the victim username.CitationUnit 42 QUADAGENT July 2018 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.CitationUnit 42 QUADAGENT July 2018 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 238fbe8908f1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 QUADAGENT July 2018
Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018.
Open source URL -
[2]
QUADAGENT
(Citation: Unit 42 QUADAGENT July 2018)
-
[3]
mitre-attack S0269Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.