S0594: Out1
Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.[1]
Analyst context for executives and security teams
Out1 matters because ATT&CK identifies it as a Windows remote access tool used by MuddyWater and linked to behaviors that support command execution, web-based command-and-control, local data collection, and local email collection. For leaders, the decision value is not the tool name alone; it is whether the organization can prove it would see a Python-based remote access capability using common Windows command shell activity and web protocols to reach sensitive local files or email stores.
Executive priority
Prioritize validation for Windows endpoint visibility, outbound web traffic monitoring, and protection of locally stored sensitive data and email. Because ATT&CK provides no official detection guidance for Out1, executives should ask for evidence-based coverage: what telemetry is collected, how command shell and web-protocol C2-like behavior is triaged, and whether incident responders can quickly determine if local documents or email data were accessed. This is especially relevant for organizations where continuity, regulatory evidence, or executive decision-making depends on confidence in endpoint and email data protection.
Technical view
Treat Out1 as a Windows software object with relationship-driven behaviors: Windows Command Shell execution (T1059.003), Web Protocols for command-and-control (T1071.001), Obfuscated Files or Information (T1027), Data from Local System (T1005), and Local Email Collection (T1114.001). SOC and IR teams should validate whether they can correlate process execution, command-line history, script or Python-related execution where present, file access to sensitive local locations, local Outlook/email data access, and outbound HTTP/S-like communications. Since ATT&CK does not provide official detection logic, detections should be behavior-based and tuned against normal administrative, scripting, backup, indexing, and email-client activity.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and script/interpreter-adjacent activity where collected
- Endpoint file access telemetry for sensitive local files, configuration data, and local email stores such as Outlook cache/data files
- Network telemetry for outbound web protocol traffic, including destination, timing, volume, user, host, and process context where available
- Endpoint security alerts or file metadata related to encoded, encrypted, compressed, or otherwise obfuscated files
- Host inventory and software execution records to identify unusual Python-based tooling on Windows systems
Detection direction
- Build or validate behavior analytics around suspicious Windows command shell execution combined with outbound web traffic from the same host or user context.
- Correlate local file and email data access with unusual process ancestry, remote access indicators, or abnormal outbound communications rather than relying on a tool name signature.
- Tune for false positives from legitimate administration, software deployment, backup tools, email clients, search indexing, and approved scripting workflows.
- Review visibility gaps: ATT&CK provides no official Out1 detection text, so coverage depends on local endpoint, network, and email-file telemetry quality.
- Use the MuddyWater relationship as threat-intelligence context for prioritization, not as proof of attribution in a local incident.
Mitigation priorities
- Confirm Windows endpoint logging and EDR coverage on systems that store sensitive documents or local email data.
- Restrict and monitor unnecessary command shell and scripting/interpreter use according to role and administrative need.
- Harden outbound web access controls and ensure web traffic can be investigated with host, user, and process context where feasible.
- Reduce sensitive data exposure on endpoints by limiting local storage of high-value files and reviewing local email cache practices where business requirements allow.
- Maintain incident response playbooks for suspected remote access tooling that include scoping command execution, outbound communications, and possible local data or email collection.
Analyst notes and limits
The supplied ATT&CK record is sparse: Out1 is described as a Python remote access tool for Windows used by MuddyWater since at least 2021, with no official detection guidance and no aliases listed. The most useful defensive content comes from the relationships to execution, command-and-control, obfuscation, and collection techniques. Detection engineering should therefore focus on technique-level behavior and correlation, not only file names or static indicators.
This take is limited to the provided ATT&CK fields, external references, and relationships. It does not assert current activity, customer exposure, successful exploitation, malware capabilities beyond the listed relationships, or guaranteed detection. Local environment baselines, logging coverage, and incident artifacts are required to determine relevance and impact.
Out1
Out1 is a remote access tool written in python and used by MuddyWater since at least 2021.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1071.001 | Web Protocols Sub-technique | Out1 can use HTTP and HTTPS in communications with remote hosts.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1027 | Obfuscated Files or Information | Out1 has the ability to encode data.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Out1 can use native command line for execution.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1005 | Data from Local System | Out1 can copy files and Registry data from compromised hosts.CitationTrend Micro Muddy Water March 2021 |
| Enterprise | T1114.001 | Local Email Collection Sub-technique | Out1 can parse e-mails on a target machine.CitationTrend Micro Muddy Water March 2021 |
Groups, software, and campaigns
G0069: MuddyWater
MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | a6b8da255b07… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Trend Micro Muddy Water March 2021
Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021.
Open source URL -
[2]
mitre-attack S0594Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.