S0592: RemoteUtilities
RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at least 2021 for execution on target machines.[1]
Analyst context for executives and security teams
RemoteUtilities matters because it is legitimate Windows remote administration software that ATT&CK records as used by MuddyWater for execution on target machines. The business risk is not the tool name alone; it is whether the organization can distinguish approved remote support activity from attacker-operated remote access that enables discovery, file transfer, screen capture, and installer-based execution behaviors.
Executive priority
Treat this as a governance and visibility question for remote administration tooling. Leaders should ask: which teams are authorized to use RemoteUtilities or similar tools, where is that approval documented, and can the SOC prove usage is expected? Because ATT&CK provides no official detection guidance for this object, control confidence should come from local telemetry, software inventory, allowlisting decisions, and incident response playbooks for legitimate-tool abuse.
Technical view
For Windows environments, validate whether RemoteUtilities is present, approved, and monitored. Relationship context links this software to File and Directory Discovery, Ingress Tool Transfer, Screen Capture, and Msiexec abuse, so detection engineering should correlate remote administration activity with file enumeration, inbound tool/file movement, screenshot-like collection behavior, and msiexec.exe execution patterns. Because the object has no ATT&CK-provided detection text and no specified tactics at the software-object level, local baselining is essential before alerting aggressively.
Likely telemetry
- Windows software inventory and endpoint management records showing RemoteUtilities installation or execution
- Process creation telemetry, especially RemoteUtilities-related processes and msiexec.exe command lines
- Windows Installer and application installation events
- File system access patterns consistent with directory and file enumeration
- Network connection and file transfer logs associated with remote administration sessions
Detection direction
- Build an allowlist of approved remote administration tools, users, hosts, and business purposes; alert on RemoteUtilities use outside that baseline.
- Correlate RemoteUtilities activity with related ATT&CK behaviors: file/directory discovery, external or internal tool transfer, screen capture, and msiexec execution.
- Tune carefully for legitimate support operations; useful detections should include asset criticality, user role, time of day, source/destination context, and change ticket evidence where available.
- Review msiexec.exe usage for unusual local or network-accessible MSI execution patterns, while recognizing msiexec is a legitimate Windows Installer utility.
- Do not assume coverage from ATT&CK alone; this object has no official detection guidance, so validate logs with controlled internal testing and incident review.
Mitigation priorities
- Establish policy ownership for approved remote administration software and remove or block unapproved use where business need is absent.
- Use endpoint controls and application governance to restrict installation and execution of unauthorized remote administration tools on Windows systems.
- Require strong administrative access governance for remote support workflows, including named users, approved devices, and auditable change or help desk context.
- Prioritize monitoring of high-value systems where screen capture, file discovery, or file transfer could create material confidentiality or operational risk.
- Ensure incident response playbooks address legitimate-tool abuse, including rapid validation of authorization, containment of remote sessions, and evidence preservation.
Analyst notes and limits
ATT&CK identifies RemoteUtilities as a legitimate remote administration tool used by MuddyWater since at least 2021, with cited Trend Micro reporting. The relationship context is valuable for defenders because it points to behaviors that should be validated around the tool rather than relying only on the software name.
The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or software-level tactics. Relationship descriptions are partial and some related technique platform lists are broader than this software object; the object itself is supplied as Windows. Local inventory, authorization records, and endpoint/network telemetry are required to determine risk and detection quality.
RemoteUtilities
RemoteUtilities is a legitimate remote administration tool that has been used by MuddyWater since at least 2021 for execution on target machines.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | RemoteUtilities can enumerate files and directories on a target machine.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | RemoteUtilities can upload and download files to and from a target machine.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1218.007 | Msiexec Sub-technique | RemoteUtilities can use Msiexec to install a service.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1113 | Screen Capture | RemoteUtilities can take screenshots on a compromised host.CitationTrend Micro Muddy Water March 2021 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ca77f804bfb4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Muddy Water March 2021
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Open source URL -
[2]
mitre-attack S0592Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.