S0345: Seasalt
Analyst context for executives and security teams
Seasalt is a Windows malware entry in ATT&CK linked in reporting to APT1’s 2010 operations and noted as sharing code similarities with OceanSalt. Its decision value is less about a current campaign claim and more about validating whether the organization can recognize a Windows intrusion pattern that combines persistence, command execution, discovery, web-based command-and-control, tool transfer, masquerading, obfuscation, and cleanup.
Executive priority
Treat Seasalt as a coverage-validation use case for Windows endpoint resilience and SOC readiness. Leaders should ask whether security teams can prove visibility into service creation, Run key or Startup Folder persistence, suspicious command-shell activity, file and process discovery, inbound tool transfer, web-protocol command-and-control, and file deletion. Because ATT&CK provides no official detection text for this object, audit and risk conversations should focus on evidence of telemetry and tested detections rather than assuming named-malware coverage.
Technical view
For SOC, detection engineering, and IR teams, validate controls against the ATT&CK relationships for Seasalt: T1543.003 Windows Service, T1547.001 Registry Run Keys / Startup Folder, T1059.003 Windows Command Shell, T1057 Process Discovery, T1083 File and Directory Discovery, T1071.001 Web Protocols, T1105 Ingress Tool Transfer, T1036.004 Masquerade Task or Service, T1027.013 Encrypted/Encoded File, and T1070.004 File Deletion. Prioritize Windows host telemetry and network evidence that can connect persistence, execution, discovery, C2-like web traffic, transferred files, and cleanup into one investigation timeline.
Likely telemetry
- Windows service creation and modification records, including service name, display name, executable path, and account context
- Registry Run key and Startup Folder modification events
- Command shell process creation, parent-child process relationships, command-line arguments, and user context
- Process enumeration and file or directory discovery activity from endpoint telemetry
- File creation, modification, transfer, and deletion events on Windows hosts
Detection direction
- Do not rely only on malware names or signatures; ATT&CK does not provide official detection guidance for Seasalt in the supplied object.
- Correlate Windows persistence changes with nearby command-shell execution, discovery commands, web-protocol connections, and file transfer or deletion events.
- Tune for masqueraded services or tasks by comparing names, descriptions, paths, publishers, and expected administrative baselines; expect legitimate administration to create false positives.
- Review web traffic for unusual destinations, timing, user-agent patterns, or host processes where locally available, while recognizing that web protocols are common and noisy.
- Validate that encoded or encrypted file detections are contextualized with execution or persistence behavior, since benign encoded content can be common.
Mitigation priorities
- Establish and audit baselines for authorized Windows services, Run keys, Startup Folder entries, and administrative scripts.
- Harden permissions for service creation and registry persistence locations, limiting them to appropriate administrative roles.
- Ensure endpoint logging captures command-line activity, process ancestry, service changes, registry changes, and file operations needed for incident reconstruction.
- Monitor and control outbound web traffic through proxy, DNS, and firewall logging so C2 over web protocols can be investigated.
- Maintain incident-response playbooks that preserve volatile endpoint and network evidence before cleanup activity removes files or artifacts.
Analyst notes and limits
The supplied ATT&CK object identifies Seasalt as Windows malware linked to APT1’s 2010 operations and related by code similarity to OceanSalt. The most actionable content comes from the relationships to ATT&CK techniques, which describe the behaviors defenders should validate. This take intentionally frames Seasalt as a defensive coverage and readiness scenario, not as evidence of present activity.
Official ATT&CK detection content is not provided for Seasalt, and the malware object has no specified tactics. The supplied data does not include indicators, hashes, infrastructure, procedures, affected sectors, impact, or active exploitation claims. Local telemetry, asset context, and incident evidence are required before making exposure, attribution, or detection-coverage conclusions.
Seasalt
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Seasalt uses cmd.exe to create a reverse shell on the infected endpoint.CitationMandiant APT1 Appendix |
| Enterprise | T1083 | File and Directory Discovery | Seasalt has the capability to identify the drive type on a victim.CitationMcAfee Oceansalt Oct 2018 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Seasalt uses HTTP for C2 communications.CitationMandiant APT1 Appendix |
| Enterprise | T1057 | Process Discovery | Seasalt has a command to perform a process listing.CitationMandiant APT1 Appendix |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Seasalt has masqueraded as a service called "SaSaut" with a display name of "System Authorization Service" in an apparent attempt to masquerade as a legitimate service.CitationMandiant APT1 Appendix |
| Enterprise | T1105 | Ingress Tool Transfer | Seasalt has a command to download additional files.CitationMandiant APT1 AppendixCitationMandiant APT1 Appendix |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Seasalt obfuscates configuration data.CitationMandiant APT1 Appendix |
| Enterprise | T1543.003 | Windows Service Sub-technique | Seasalt is capable of installing itself as a service.CitationMandiant APT1 Appendix |
| Enterprise | T1070.004 | File Deletion Sub-technique | Seasalt has a command to delete a specified file.CitationMandiant APT1 Appendix |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Seasalt creates a Registry entry to ensure infection after reboot under |
Groups, software, and campaigns
G0006: APT1
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | b5f674885dba… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT1 Appendix
Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016.
Open source URL -
[2]
McAfee Oceansalt Oct 2018
Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018.
Open source URL -
[3]
Seasalt
(Citation: Mandiant APT1 Appendix)(Citation: McAfee Oceansalt Oct 2018)
-
[4]
mitre-attack S0345Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.