S0673: DarkWatchman
DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[1]
Analyst context for executives and security teams
DarkWatchman matters because ATT&CK describes it as a lightweight JavaScript-based Windows RAT that avoids file operations. That shifts defensive value away from file-only malware controls and toward visibility into script execution, Registry activity, WMI, scheduled tasks, discovery behavior, local data collection, and web-based command-and-control patterns.
Executive priority
Treat this as a coverage validation item for Windows endpoint resilience and incident response readiness. Leaders should ask whether the organization can investigate a mostly fileless RAT scenario: Can teams prove what script ran, what Registry keys changed, whether persistence was created, what data was discovered or staged, and whether outbound web traffic carried command-and-control? The priority is not a single signature; it is evidence quality across endpoint, identity context, and network telemetry.
Technical view
The supplied ATT&CK relationships show DarkWatchman using Windows-relevant execution and persistence paths including JavaScript, PowerShell, Windows Command Shell, WMI, Scheduled Task, Registry query/modify, fileless storage, command obfuscation, compile-after-delivery, compression, masquerading, file deletion, discovery, collection, keylogging, local staging, and web protocols for command-and-control. SOC and IR teams should validate whether Windows telemetry connects these behaviors into a timeline, especially where activity does not leave conventional malware files on disk. No official ATT&CK detection text is provided, so detection engineering should be based on the related techniques and local baselines.
Likely telemetry
- Windows process creation with command-line detail for script interpreters, PowerShell, cmd, WMI, and task-scheduling utilities
- PowerShell and script execution logs where enabled, including encoded or obfuscated command indicators
- Windows Registry query and modification events, especially unusual persistence or storage patterns
- Scheduled Task creation, modification, and execution events
- WMI activity, including local or remote command execution indicators
Detection direction
- Prioritize behavior correlation over file hashes because the official description emphasizes avoidance of file operations and the relationships include fileless storage and obfuscation.
- Tune detections for unusual chains such as JavaScript or script execution leading to Registry modification, WMI execution, Scheduled Task creation, discovery commands, local staging, and web-protocol outbound traffic.
- Baseline administrative use of PowerShell, cmd, WMI, Registry tools, and Scheduled Tasks to reduce false positives while preserving alerts for rare parent-child process relationships, unusual users, or unusual hosts.
- Validate visibility into Registry-backed or non-file storage because file-centric EDR or antivirus-only workflows may miss material evidence.
- Review outbound web traffic by process and host context; web protocols are common, so detection should emphasize abnormal initiating processes, destinations, timing, and surrounding endpoint behavior rather than protocol use alone.
Mitigation priorities
- Harden and monitor Windows scripting environments, including JavaScript/JScript, PowerShell, and command shell usage, according to business need.
- Restrict and audit WMI, Scheduled Task, and Registry modification capabilities using least privilege and administrative control review.
- Enable sufficient Windows logging for process creation, command line, PowerShell/script activity, Registry changes, scheduled tasks, and WMI so investigations are evidence-driven.
- Apply egress monitoring and web-protocol inspection policies appropriate to the environment, with attention to endpoint process context.
- Prepare incident response procedures for fileless malware scenarios, including memory-aware triage, Registry review, persistence checks, and data-staging searches.
Analyst notes and limits
DarkWatchman is identified by ATT&CK as software S0673, a JavaScript-based RAT first observed in November 2021. The most decision-useful context comes from its ATT&CK technique relationships, which indicate a Windows-focused pattern of script execution, stealth, discovery, collection, persistence, and web-based command-and-control. This take intentionally avoids claims about current exploitation, attribution, prevalence, or guaranteed detectability.
ATT&CK provides no official detection text for this object, and the object itself lists no tactics. Several relationship descriptions are truncated in the supplied data, and some related technique platform lists are broader or inconsistent with the malware object's Windows platform. Local environment telemetry, baselines, and control configuration are required to assess real coverage.
DarkWatchman
DarkWatchman is a lightweight JavaScript-based remote access tool (RAT) that avoids file operations; it was first observed in November 2021.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1614 | System Location Discovery | DarkWatchman can identity the OS locale of a compromised host.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | DarkWatchman has been observed deleting its original launcher after installation.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1027.011 | Fileless Storage Sub-technique | DarkWatchman can store configuration strings, keylogger, and output of components in the Registry.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1027.015 | Compression Sub-technique | DarkWatchman has been delivered as compressed RAR payloads in ZIP files to victims.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1112 | Modify Registry | DarkWatchman can modify Registry values to store configuration strings, keylogger, and output of components.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1490 | Inhibit System Recovery | DarkWatchman can delete shadow volumes using |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | DarkWatchman can stage local data in the Windows Registry.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1010 | Application Window Discovery | DarkWatchman reports window names along with keylogger information to provide application context.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | DarkWatchman can execute PowerShell commands and has used PowerShell to execute a keylogger.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1124 | System Time Discovery | DarkWatchman can collect time zone information and system `UPTIME`.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1083 | File and Directory Discovery | DarkWatchman has the ability to enumerate file and folder names.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | DarkWatchman has used Base64 to encode PowerShell commands.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | DarkWatchman has used a DGA to generate a domain name for C2.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1012 | Query Registry | DarkWatchman can query the Registry to determine if it has already been installed on the system.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1129 | Shared Modules | DarkWatchman can load DLLs.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1217 | Browser Information Discovery | DarkWatchman can retrieve browser history.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | DarkWatchman encodes data using hexadecimal representation before sending it to the C2 server.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DarkWatchman can use `cmd.exe` to execute commands.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | DarkWatchman can use TLS to encrypt its C2 channel.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | DarkWatchman uses HTTPS for command and control.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1005 | Data from Local System | DarkWatchman can collect files from a compromised host.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DarkWatchman has the ability to self-extract as a RAR archive.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | DarkWatchman can use WMI to execute commands.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | DarkWatchman has been delivered via spearphishing emails that contain a malicious zip file.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | DarkWatchman has used the |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | DarkWatchman has created a scheduled task for persistence.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | DarkWatchman can search for anti-virus products on the system.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1056.001 | Keylogging Sub-technique | DarkWatchman can track key presses with a keylogger module.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1036 | Masquerading | DarkWatchman has used an icon mimicking a text file to mask a malicious executable.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1082 | System Information Discovery | DarkWatchman can collect the OS version, system architecture, and computer name.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1033 | System Owner/User Discovery | DarkWatchman has collected the username from a victim machine.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1070 | Indicator Removal | DarkWatchman can uninstall malicious components from the Registry, stop processes, and clear the browser history.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1059.007 | JavaScript Sub-technique | DarkWatchman uses JavaScript to perform its core functionalities.CitationPrevailion DarkWatchman 2021 |
| Enterprise | T1120 | Peripheral Device Discovery | DarkWatchman can list signed PnP drivers for smartcard readers.CitationPrevailion DarkWatchman 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | e2fa177e61c9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Prevailion DarkWatchman 2021
Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022.
Open source URL -
[2]
mitre-attack S0673Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.