S0610: SideTwist
Analyst context for executives and security teams
SideTwist matters because it is a Windows backdoor associated in ATT&CK with OilRig and with behaviors that support command-and-control, discovery, collection, tool transfer, and exfiltration over the same channel. For leaders, the practical issue is not just one malware name: it is whether the organization can prove it would notice a Windows host using command shell activity, system and file discovery, encoded or encrypted web-based C2, fallback communications, and outbound data movement.
Executive priority
Prioritize SideTwist as a readiness test for Windows endpoint visibility, egress monitoring, and incident response evidence quality. The ATT&CK relationships connect it to sectors and supply-chain-oriented targeting attributed to OilRig in the group description, so risk owners should ask whether critical business units, trusted partner pathways, and sensitive data stores have adequate monitoring and response playbooks for backdoor-driven discovery and exfiltration. This is also useful for audit and compliance evidence: confirm that logging, alert triage, containment, and data-loss investigation procedures can be demonstrated, not just documented.
Technical view
ATT&CK does not provide a dedicated detection section for SideTwist, so SOC and detection teams should validate coverage through the related techniques: Windows Command Shell execution, Native API activity, system/user/network/file discovery, local data collection, ingress tool transfer, web-protocol C2, data obfuscation, standard encoding, symmetric cryptography, fallback channels, and exfiltration over C2. Focus testing on Windows hosts and network paths where an interactive backdoor could issue commands, enumerate the environment, stage files, receive additional tooling, and communicate over HTTP/S-like traffic that may be encoded, encrypted, or otherwise obfuscated.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and child-process activity
- Windows endpoint file, directory, and local data access events where available
- Host-based network connection telemetry from Windows systems
- Proxy, secure web gateway, firewall, DNS, and outbound HTTP/S metadata
- EDR telemetry for unusual process, memory, API, and network behavior
Detection direction
- Map detections to the related ATT&CK techniques rather than relying on the malware name alone, because no official SideTwist detection guidance is supplied.
- Correlate Windows command shell execution with discovery commands, file enumeration, local data access, and outbound network sessions.
- Tune web-protocol C2 analytics for unusual destinations, uncommon user-agent or session patterns, encoded payload characteristics, repeated fallback destinations, and beacon-like behavior while accounting for legitimate business web traffic.
- Validate whether encrypted or encoded C2 would still leave usable metadata for detection, such as process-to-destination relationships, destination reputation, timing, volume, and proxy categories.
- Look for ingress tool transfer followed by execution or additional discovery, since the relationships include tool/file transfer behavior.
Mitigation priorities
- Confirm Windows endpoint logging and EDR coverage on systems that handle sensitive data or provide privileged access.
- Restrict and monitor unnecessary outbound web traffic, especially direct-to-internet paths from servers and high-value workstations.
- Harden command shell and script execution controls according to business need, with attention to administrative exceptions.
- Apply least privilege so a compromised user context cannot broadly enumerate or collect sensitive local or network-accessible data.
- Segment critical systems and monitor trusted partner or supply-chain access paths where applicable to the organization’s environment.
Analyst notes and limits
The supplied ATT&CK object identifies SideTwist as a C-based Windows backdoor used by OilRig since at least 2021, with Check Point’s April 2021 reporting as an external reference. The strongest defensive value comes from the relationship set: it shows the behavior pattern defenders should validate across execution, discovery, collection, command-and-control, tool transfer, decoding/encoding, encryption, fallback communications, and exfiltration.
ATT&CK provides no official detection text, no aliases, and no tactics directly on the SideTwist object. The object platform is Windows, while several related techniques list broader platforms; this take applies platform-specific guidance only to Windows where supported. Local telemetry, network architecture, business process baselines, and available security controls are required to determine actual exposure or detection coverage.
SideTwist
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1106 | Native API | SideTwist can use |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | SideTwist has used Base64 for encoded C2 traffic.CitationCheck Point APT34 April 2021 |
| Enterprise | T1033 | System Owner/User Discovery | SideTwist can collect the username on a targeted system.CitationCheck Point APT34 April 2021 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | SideTwist can encrypt C2 communications with a randomly generated key.CitationCheck Point APT34 April 2021 |
| Enterprise | T1083 | File and Directory Discovery | SideTwist has the ability to search for specific files.CitationCheck Point APT34 April 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | SideTwist can execute shell commands on a compromised host.CitationCheck Point APT34 April 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | SideTwist has the ability to download additional files.CitationCheck Point APT34 April 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SideTwist has used HTTP GET and POST requests over port 443 for C2.CitationCheck Point APT34 April 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | SideTwist has the ability to collect the domain name on a compromised host.CitationCheck Point APT34 April 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | SideTwist can decode and decrypt messages received from C2.CitationCheck Point APT34 April 2021 |
| Enterprise | T1005 | Data from Local System | SideTwist has the ability to upload files from a compromised host.CitationCheck Point APT34 April 2021 |
| Enterprise | T1008 | Fallback Channels | SideTwist has primarily used port 443 for C2 but can use port 80 as a fallback.CitationCheck Point APT34 April 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SideTwist has exfiltrated data over its C2 channel.CitationCheck Point APT34 April 2021 |
| Enterprise | T1082 | System Information Discovery | SideTwist can collect the computer name of a targeted system.CitationCheck Point APT34 April 2021 |
| Enterprise | T1001 | Data Obfuscation | SideTwist can embed C2 responses in the source code of a fake Flickr webpage.CitationCheck Point APT34 April 2021 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 66428b9cc341… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Check Point APT34 April 2021
Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021.
Open source URL -
[2]
mitre-attack S0610Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.