Live Active security incident? Get immediate response
MITRE ATT&CK® Tool

S0500: MCMD

MCMD is a remote access tool that provides remote command shell capability used by Dragonfly.[1]

EnterpriseS0500ToolObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

MCMD is a Windows remote access tool with remote command shell capability, documented by ATT&CK as used by Dragonfly. Its decision value is that a single implant can combine command execution, persistence, stealth, web-based command-and-control, tool transfer, and local data access, so defenders should not treat it as only a malware signature problem.

Executive priority

Prioritize MCMD as a readiness test for Windows endpoint visibility, incident response triage, and resilience in environments where Dragonfly-relevant risk matters, including government, defense, aviation, industrial control system, and critical infrastructure contexts referenced in the related group description. Leaders should ask whether teams can prove visibility into persistence creation, command shell activity, outbound web-protocol C2, and cleanup of persistence artifacts—not just whether an antivirus name is detected.

Technical view

ATT&CK provides no official detection text for MCMD, so coverage should be validated through the related behaviors: Windows Command Shell, Scheduled Task, Registry Run Keys/Startup Folder, Hidden Window, Obfuscated Files or Information, Match Legitimate Resource Name or Location, Clear Persistence, Web Protocols, Ingress Tool Transfer, and Data from Local System. SOC and IR teams should correlate suspicious cmd.exe activity with new or modified scheduled tasks, Run key/startup entries, unusual file placement or naming, hidden execution patterns, tool downloads, local data access, and outbound HTTP/S-like traffic from uncommon processes.

Likely telemetry

  • Windows endpoint process creation telemetry with command line, parent/child process, user, and integrity context
  • Windows Task Scheduler creation, modification, execution, and deletion events
  • Registry monitoring for Run keys and startup-folder persistence paths
  • File creation, modification, deletion, and rename telemetry, especially for suspicious placement or legitimate-looking names
  • Endpoint alerts or logs showing obfuscated, packed, encoded, or otherwise hard-to-analyze files

Detection direction

  • Because ATT&CK lists no official MCMD detection guidance, validate behavior-based analytics rather than relying only on malware family names.
  • Tune for suspicious command shell activity that is remote, automated, or spawned by unusual parent processes, while accounting for legitimate administration tools.
  • Correlate scheduled task and Run key creation with nearby command execution, new binaries, outbound web traffic, or file transfer events.
  • Hunt for executables placed in trusted-looking locations or named to resemble legitimate resources, especially when paired with hidden-window execution or obfuscation indicators.
  • Monitor for persistence artifacts that are created and later removed, since Clear Persistence can reduce the evidence available during incident response.

Mitigation priorities

  • Confirm Windows endpoint logging and EDR coverage for process, registry, task scheduler, file, and network activity before assuming MCMD-like behavior is observable.
  • Harden and monitor persistence locations such as Run keys, startup folders, and scheduled tasks with change control and alerting.
  • Apply least privilege so ordinary user contexts have limited ability to establish durable persistence or access sensitive local data.
  • Restrict and inspect outbound web-protocol traffic where feasible, especially from servers and administrative workstations that should not initiate broad external connections.
  • Maintain incident response procedures for rapid collection of volatile process, persistence, file, and network evidence before cleanup activity removes artifacts.
Analyst notes and limits

The supplied ATT&CK relationship context is the main source of practical defensive value: MCMD is a Windows remote access tool used by Dragonfly and linked to execution, persistence, stealth, command-and-control, tool transfer, and local data behaviors. The Dragonfly relationship makes this especially relevant for organizations assessing espionage-oriented risk and critical infrastructure/ICS-adjacent exposure, but local prioritization should be based on actual environment, assets, and telemetry.

No official ATT&CK detection text, aliases, or tactics are supplied for the MCMD software object. Several behavior details come from relationships rather than the software description itself. This take does not assert current activity, customer exposure, guaranteed detection, or platform scope beyond the supplied Windows platform for MCMD and the listed related techniques.

Official MITRE ATT&CK definition

MCMD

MCMD is a remote access tool that provides remote command shell capability used by Dragonfly.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

10 rows
Domain ID Name Relationship / procedure
Enterprise T1070.009 Clear Persistence Sub-technique

MCMD has the ability to remove set Registry Keys, including those used for persistence.CitationSecureworks MCMD July 2019
Enterprise T1059.003 Windows Command Shell Sub-technique

MCMD can launch a console process (cmd.exe) with redirected standard input and output.CitationSecureworks MCMD July 2019
Enterprise T1564.003 Hidden Window Sub-technique

MCMD can modify processes to prevent them from being visible on the desktop.CitationSecureworks MCMD July 2019
Enterprise T1071.001 Web Protocols Sub-technique

MCMD can use HTTPS in communication with C2 web servers.CitationSecureworks MCMD July 2019
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

MCMD has been named Readme.txt to appear legitimate.CitationSecureworks MCMD July 2019
Enterprise T1027 Obfuscated Files or Information

MCMD can Base64 encode output strings prior to sending to C2.CitationSecureworks MCMD July 2019
Enterprise T1053.005 Scheduled Task Sub-technique

MCMD can use scheduled tasks for persistence.CitationSecureworks MCMD July 2019
Enterprise T1005 Data from Local System

MCMD has the ability to upload files from an infected device.CitationSecureworks MCMD July 2019
Enterprise T1105 Ingress Tool Transfer

MCMD can upload additional files to a compromised host.CitationSecureworks MCMD July 2019
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

MCMD can use Registry Run Keys for persistence.CitationSecureworks MCMD July 2019
Associated objects

Groups, software, and campaigns

Group Enterprise

G0035: Dragonfly

Dragonfly is a cyber espionage group that has been attributed to Russia's Federal Security Service (FSB) Center 16.[1][2] Active since at least 2010, Dragonfly has targeted defense and aviation companies, government entities, companies related to industrial control systems, and critical infrastructure sectors worldwide through supply chain, spearphishing, and drive-by compromise attacks.[3][4][5][6][7][8][9]

Relationship explorer

All related ATT&CK context

uses · Group G0035: Dragonfly Enterprise uses · Technique T1070.009: Clear Persistence Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1564.003: Hidden Window Enterprise uses · Technique T1071.001: Web Protocols Enterprise uses · Technique T1036.005: Match Legitimate Resource Name or Location Enterprise uses · Technique T1027: Obfuscated Files or Information Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1005: Data from Local System Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
db48ec06fde22910...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle db48ec06fde2…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Secureworks MCMD July 2019

    Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020.

    Open source URL
  2. [2]
    mitre-attack S0500
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use