S0457: Netwalker
Analyst context for executives and security teams
Netwalker matters because ATT&CK describes it as Windows fileless ransomware written in PowerShell and executed directly in memory. For leaders, the practical issue is not only ransomware impact; it is whether the organization can see and contain script-based, in-memory execution before encryption, service disruption, or recovery inhibition becomes a business-continuity event.
Executive priority
Prioritize validation of Windows endpoint visibility, PowerShell governance, recovery resilience, and incident-response playbooks. The related ATT&CK behaviors include execution through PowerShell, command shell, WMI, native APIs, and services; stealth through obfuscation, embedded payloads, decoding, and DLL injection; discovery of systems and security software; tool transfer and lateral movement; and impact through data encryption, service stopping, and inhibition of recovery. Executives should ask whether SOC and IR teams can produce evidence for these stages quickly, whether backups and recovery mechanisms are protected from endpoint-level tampering, and whether ransomware tabletop exercises include fileless and in-memory tradecraft.
Technical view
For SOC, detection engineering, and IR teams, treat this as a Windows ransomware behavior cluster centered on PowerShell and memory-resident execution. Validate collection and alerting for suspicious PowerShell execution, obfuscated command lines, WMI activity, cmd.exe usage, service-control abuse, registry modification, DLL or process injection indicators, tool transfer, lateral file movement, security-tool discovery or impairment, service stops, recovery inhibition, and file encryption activity. Because the ATT&CK object provides no official detection text, coverage should be proven through local telemetry tests, rule logic review, and incident-response evidence requirements rather than assumed from product capability.
Likely telemetry
- Windows process creation events with full command line for powershell.exe, cmd.exe, sc.exe, net.exe, reg.exe, WMI-related processes, and service execution paths
- PowerShell script block, module, transcription, and engine logs where enabled
- WMI activity logs and remote/local WMI execution traces
- Endpoint telemetry for memory injection, DLL loading, reflective or in-memory execution indicators, and Native API-related process behavior
- Windows service creation, modification, start, stop, and disable events
Detection direction
- Confirm Windows endpoint logging captures command lines and PowerShell content sufficiently to analyze obfuscation rather than relying only on executable names.
- Tune detections for suspicious combinations: PowerShell or cmd spawning WMI/service-control activity, registry changes, tool transfer, security-tool discovery, or recovery inhibition commands.
- Correlate stealth behaviors such as embedded payloads, command obfuscation, deobfuscation, and DLL injection with later ransomware-impact behaviors instead of treating each signal in isolation.
- Review false positives from legitimate administration: WMI, PowerShell, service control, and registry modification are common admin behaviors, so detections should use context such as parent process, user, host role, timing, encoded or obfuscated content, and unusual fan-out.
- Validate alerting for service stops, security-tool impairment, and recovery-control deletion as high-priority ransomware precursors or impact-stage events.
Mitigation priorities
- Harden and monitor PowerShell use on Windows, including policy, logging, and restrictions appropriate to administrative need.
- Limit administrative pathways that enable WMI, service execution, registry modification, and remote command execution to authorized users and managed systems.
- Protect endpoint security tools, logging agents, and recovery services from disablement or unauthorized modification.
- Segment and monitor internal file transfer paths to reduce unchecked lateral tool movement.
- Maintain resilient backups and recovery processes that are separated from ordinary endpoint administrative control and regularly tested for restoration.
Analyst notes and limits
The ATT&CK object identifies Netwalker as fileless PowerShell ransomware executed in memory and links it to multiple techniques spanning execution, stealth, discovery, lateral movement, defense impairment, and impact. The most useful defensive value is to map those relationships into a Windows ransomware detection and response validation plan, especially around PowerShell, WMI, service control, registry activity, memory execution, and recovery protection.
MITRE provides no official detection guidance for this object, no aliases, and no explicit tactics on the malware object itself. The platform supplied for the malware is Windows; broader platforms listed on related techniques should not be interpreted as Netwalker platform support without additional evidence. Local environment data is required to determine actual exposure, control coverage, and detection quality.
Netwalker
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1112 | Modify Registry | Netwalker can add the following registry entry: |
| Enterprise | T1685 | Disable or Modify Tools | Netwalker can detect and terminate active security software-related processes on infected systems.CitationTrendMicro Netwalker May 2020CitationSophos Netwalker May 2020 |
| Enterprise | T1082 | System Information Discovery | Netwalker can determine the system architecture it is running on to choose which version of the DLL to use.CitationTrendMicro Netwalker May 2020 |
| Enterprise | T1570 | Lateral Tool Transfer | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Netwalker's PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables.CitationTrendMicro Netwalker May 2020CitationSophos Netwalker May 2020 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Netwalker can detect and terminate active security software-related processes on infected systems.CitationTrendMicro Netwalker May 2020 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | Netwalker's DLL has been embedded within the PowerShell script in hex format.CitationTrendMicro Netwalker May 2020 |
| Enterprise | T1490 | Inhibit System Recovery | Netwalker can delete the infected system's Shadow Volumes to prevent recovery.CitationTrendMicro Netwalker May 2020CitationSophos Netwalker May 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Netwalker has been written in PowerShell and executed directly in memory, avoiding detection.CitationTrendMicro Netwalker May 2020CitationSophos Netwalker May 2020 |
| Enterprise | T1106 | Native API | Netwalker can use Windows API functions to inject the ransomware DLL.CitationTrendMicro Netwalker May 2020 |
| Enterprise | T1486 | Data Encrypted for Impact | Netwalker can encrypt files on infected machines to extort victims.CitationTrendMicro Netwalker May 2020 |
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1047 | Windows Management Instrumentation | Netwalker can use WMI to delete Shadow Volumes.CitationTrendMicro Netwalker May 2020 |
| Enterprise | T1489 | Service Stop | Netwalker can terminate system processes and services, some of which relate to backup software.CitationTrendMicro Netwalker May 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.CitationTrendMicro Netwalker May 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | eaea9820bbf9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
TrendMicro Netwalker May 2020
Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020.
Open source URL -
[2]
mitre-attack S0457Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.