Live Active security incident? Get immediate response
MITRE ATT&CK® Malware

S0639: Seth-Locker

Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021. [1]

EnterpriseS0639MalwareObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Seth-Locker matters because it is identified as Windows ransomware with some remote control capability, and its ATT&CK relationships point to command-shell execution, tool transfer, and data encryption for impact. For leaders, the decision value is not the malware name alone; it is whether the organization can quickly see suspicious Windows command execution, inbound file/tool staging, and encryption activity before availability loss becomes a business-continuity event.

Executive priority

Treat this as a ransomware-readiness validation case for Windows environments. Security leaders should ask whether SOC monitoring, incident response playbooks, backup recovery evidence, and endpoint controls can support decisions during a suspected encryption event. Priority should go to proving visibility and response around Windows command shell activity, ingress tool transfer, and data encryption behaviors rather than relying on malware-specific signatures, since no official ATT&CK detection guidance is provided for this object.

Technical view

ATT&CK lists Seth-Locker as Windows malware and relates it to T1059.003 Windows Command Shell, T1105 Ingress Tool Transfer, and T1486 Data Encrypted for Impact. SOC and IR teams should validate whether they collect endpoint process telemetry for cmd.exe and child processes, evidence of downloaded or staged tools/files, and high-volume or abnormal file modification/encryption behavior on Windows systems. Detection engineering should map coverage to the related behaviors and tune for ransomware-like execution chains while accounting for legitimate administrative command-shell and file-transfer activity.

Likely telemetry

  • Windows endpoint process creation telemetry, especially command shell invocation and parent/child process context
  • Endpoint file creation, modification, rename, and high-volume write activity consistent with encryption impact
  • Network or proxy evidence of external file/tool transfer into the environment
  • Endpoint security alerts or logs showing suspicious tool staging or remote-control-like activity
  • Windows host logs and EDR timeline data needed to correlate execution, transfer, and encryption phases

Detection direction

  • Build behavior-based detections around T1059.003, T1105, and T1486 rather than depending only on Seth-Locker-specific indicators.
  • Validate command-shell monitoring includes command line, parent process, user context, host, and timing so legitimate administration can be separated from suspicious execution chains.
  • Correlate file/tool ingress with subsequent command execution and large-scale file modification to reduce false positives and improve ransomware triage.
  • Confirm ransomware-impact monitoring is tested against Windows file activity patterns, including local and accessible remote storage where telemetry is available.
  • Document blind spots where endpoint logging, EDR coverage, proxy visibility, or file activity monitoring is absent, because ATT&CK provides no object-specific detection text.

Mitigation priorities

  • Prioritize resilient, tested backups and recovery procedures for systems and data that would be affected by encryption impact.
  • Harden and monitor Windows command-shell use, especially where administrative tooling can be abused for execution.
  • Restrict and inspect unauthorized file/tool transfer paths into the environment using existing endpoint, network, and access controls.
  • Prepare incident response playbooks for rapid containment of Windows hosts showing command execution, tool staging, and encryption behavior.
  • Use this object as a control-validation scenario for ransomware readiness, SOC escalation, and compliance evidence around monitoring and recovery.
Analyst notes and limits

The supplied ATT&CK object identifies Seth-Locker as ransomware with some remote control capabilities in use since at least 2021 and provides one external Trend Micro reference. The most useful defensive context comes from the ATT&CK relationships to Windows Command Shell, Ingress Tool Transfer, and Data Encrypted for Impact. Local validation is required to determine whether these behaviors are observable in a specific environment.

Official ATT&CK detection guidance is not provided. The object lists Windows as the platform and does not specify tactics directly; tactic context is inferred only from the supplied relationships. No claims can be made here about current activity, attribution, prevalence, customer exposure, or guaranteed detection coverage.

Official MITRE ATT&CK definition

Seth-Locker

Seth-Locker is a ransomware with some remote control capabilities that has been in use since at least 2021. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

3 rows
Domain ID Name Relationship / procedure
Enterprise T1059.003 Windows Command Shell Sub-technique

Seth-Locker can execute commands via the command line shell.CitationTrend Micro Ransomware February 2021
Enterprise T1105 Ingress Tool Transfer

Seth-Locker has the ability to download and execute files on a compromised host.CitationTrend Micro Ransomware February 2021
Enterprise T1486 Data Encrypted for Impact

Seth-Locker can encrypt files on a targeted system, appending them with the suffix .seth.CitationTrend Micro Ransomware February 2021
Relationship explorer

All related ATT&CK context

uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1105: Ingress Tool Transfer Enterprise uses · Technique T1486: Data Encrypted for Impact Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
fbb3892ced8cbbaf...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle fbb3892ced8c…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Trend Micro Ransomware February 2021

    Centero, R. et al. (2021, February 5). New in Ransomware: Seth-Locker, Babuk Locker, Maoloa, TeslaCrypt, and CobraLocker. Retrieved August 11, 2021.

    Open source URL
  2. [2]
    mitre-attack S0639
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use