S0504: Anchor
Analyst context for executives and security teams
Anchor is a Linux and Windows backdoor family that ATT&CK describes as used with TrickBot against selected high-profile targets since at least 2018. Its decision value is that it combines persistence, discovery, lateral movement, stealth, and multiple command-and-control paths, so a single missing control is unlikely to decide coverage. Leaders should treat it as a test of whether endpoint, network, DNS, identity, and incident-response evidence can be joined quickly enough to understand scope.
Executive priority
Prioritize Anchor as a resilience and readiness scenario rather than a single malware signature. The ATT&CK relationships point to behaviors that affect business continuity decisions: alternate C2 channels, tool transfer, service and scheduled-task persistence, SMB/admin-share lateral movement, and file deletion/obfuscation. Executives should ask whether the organization can prove collection and retention for Windows and Linux hosts, DNS/web/network traffic, and administrative-share activity, and whether IR teams can rapidly identify persistence and lateral movement if a TrickBot-associated intrusion is suspected.
Technical view
ATT&CK provides no official detection text for Anchor, so defenders should validate coverage through the mapped techniques. On Windows, review service creation/modification, service execution, scheduled tasks, command shell use, SMB/admin-share access, NTFS file attribute abuse, code-signing metadata, packed/obfuscated binaries, file deletion, and web/DNS/non-application-layer C2. On Linux, validate cron persistence, Unix shell execution, system and network configuration discovery, packed/obfuscated files, file deletion, ingress tool transfer, and outbound C2 over DNS, web protocols, fallback channels, or lower-layer protocols. Use the Wizard Spider relationship and TrickBot conjunction as threat-intelligence context, not as proof of local attribution.
Likely telemetry
- Endpoint process creation and command-line telemetry for Windows cmd and Unix shells
- Windows service creation, modification, and service-control execution events
- Windows scheduled task events and Linux cron/crontab changes
- SMB/admin-share authentication and file-access logs
- DNS query and response logs, including unusual domains, volumes, or patterns
Detection direction
- Build detections around technique clusters rather than a single Anchor indicator because ATT&CK supplies no official detection guidance.
- Correlate persistence events with nearby shell execution, discovery commands, file transfer, deletion, and outbound DNS/web/network activity.
- Tune DNS and web-protocol analytics carefully because these protocols are common; prioritize rare destinations, unusual query patterns, fallback behavior, and host context.
- For Windows, validate that service creation, scheduled tasks, SMB/admin-share use, and NTFS attribute/ADS visibility are actually logged and retained.
- For Linux, validate cron changes, shell command telemetry, file changes, and outbound network visibility; these are common blind spots compared with Windows endpoint coverage.
Mitigation priorities
- Sequence controls around preventing and containing the mapped behaviors: harden administrative shares and service-control access, restrict unnecessary administrative privileges, and monitor privileged account use.
- Reduce persistence opportunity by governing Windows services, scheduled tasks, and Linux cron with change control and alerting.
- Limit outbound communications through DNS, web, and other protocols with egress controls, proxying, logging, and review of exceptions.
- Improve endpoint hardening and application control where feasible to reduce execution of packed, obfuscated, unsigned, or unexpected binaries while accounting for the Code Signing relationship.
- Maintain centralized logging and retention across Windows, Linux, DNS, proxy/firewall, and identity sources so IR can reconstruct discovery, lateral movement, persistence, and cleanup activity.
Analyst notes and limits
Anchor is most useful for defenders as a cross-platform backdoor behavior model. The strongest ATT&CK-supported context is its relationship to TrickBot activity, its use by Wizard Spider, and its mapped techniques spanning C2, discovery, execution, persistence, lateral movement, defense evasion, and tool transfer. Local validation should focus on whether those behaviors are observable together across Windows and Linux rather than on malware naming alone.
The supplied ATT&CK object does not include official detection text, aliases, labels, or object-level tactics. The relationship descriptions are truncated in places, and no local indicators, hashes, infrastructure, prevalence, or active exploitation status are supplied. Any assessment of exposure, attribution, or detection coverage requires environment-specific telemetry and intelligence.
Anchor
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1095 | Non-Application Layer Protocol | Anchor has used ICMP in C2 communications.CitationCyberreason Anchor December 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Anchor has used cmd.exe to run its self deletion routine.CitationCyberreason Anchor December 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | Anchor can download additional payloads.CitationCyberreason Anchor December 2019CitationMedium Anchor DNS July 2020 |
| Enterprise | T1480 | Execution Guardrails | Anchor can terminate itself if specific execution flags are not present.CitationCyberreason Anchor December 2019 |
| Enterprise | T1082 | System Information Discovery | Anchor can determine the hostname and linux version on a compromised host.CitationMedium Anchor DNS July 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Anchor can create a scheduled task for persistence.CitationCyberreason Anchor December 2019 |
| Enterprise | T1053.003 | Cron Sub-technique | Anchor can install itself as a cron job.CitationMedium Anchor DNS July 2020 |
| Enterprise | T1059.004 | Unix Shell Sub-technique | Anchor can execute payloads via shell scripting.CitationMedium Anchor DNS July 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Anchor has used HTTP and HTTPS in C2 communications.CitationCyberreason Anchor December 2019 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Anchor has been signed with valid certificates to evade detection by security tools.CitationCyberreason Anchor December 2019 |
| Enterprise | T1071.004 | DNS Sub-technique | Variants of Anchor can use DNS tunneling to communicate with C2.CitationCyberreason Anchor December 2019CitationMedium Anchor DNS July 2020 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Anchor can establish persistence by creating a service.CitationCyberreason Anchor December 2019 |
| Enterprise | T1027 | Obfuscated Files or Information | Anchor has obfuscated code with stack strings and string encryption.CitationCyberreason Anchor December 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | Anchor can determine the public IP and location of a compromised host.CitationMedium Anchor DNS July 2020 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Anchor can self delete its dropper after the malware is successfully deployed.CitationCyberreason Anchor December 2019 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Anchor has come with a packed payload.CitationCyberreason Anchor December 2019 |
| Enterprise | T1564.004 | NTFS File Attributes Sub-technique | Anchor has used NTFS to hide files.CitationCyberreason Anchor December 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Anchor can create and execute services to load its payload.CitationCyberreason Anchor December 2019CitationMedium Anchor DNS July 2020 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Anchor can support windows execution via SMB shares.CitationMedium Anchor DNS July 2020 |
| Enterprise | T1008 | Fallback Channels | Anchor can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers.CitationCyberreason Anchor December 2019 |
Groups, software, and campaigns
G0102: Wizard Spider
Wizard Spider is a Russia-based financially motivated threat group originally known for the creation and deployment of TrickBot since at least 2016. Wizard Spider possesses a diverse arsenal of tools and has conducted ransomware campaigns against a variety of organizations, ranging from major corporations to hospitals.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | f0aad2977838… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cyberreason Anchor December 2019
Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020.
Open source URL -
[2]
Medium Anchor DNS July 2020
Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020.
Open source URL -
[3]
Anchor_DNS
(Citation: Cyberreason Anchor December 2019)(Citation: Medium Anchor DNS July 2020)
-
[4]
mitre-attack S0504Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.