S0688: Meteor
Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[1]
Analyst context for executives and security teams
Meteor matters because it is described by ATT&CK as a Windows wiper associated with destructive activity against government and transportation-related organizations. For leaders, the defensive value is not in memorizing the malware name, but in validating whether the organization can detect and recover from the behaviors ATT&CK links to it: scheduled execution, WMI and command-shell use, Group Policy modification, security-tool impairment, log clearing, recovery inhibition, account access removal, defacement, service stopping, and data destruction.
Executive priority
Treat this as a resilience and incident-readiness use case for destructive Windows intrusions. Priority questions are: can critical Windows and Active Directory environments withstand malicious GPO changes, service disruption, account lockout/removal, and recovery inhibition; are backups and recovery paths protected from administrative misuse; and can the SOC still see activity if endpoint tools or Windows logs are tampered with? This object supports tabletop, control validation, and audit evidence around destructive malware preparedness, especially where business continuity or cyber-physical operations depend on Windows systems.
Technical view
ATT&CK provides no official detection text for Meteor, so defenders should build coverage from the related techniques. Prioritize Windows telemetry for WMI execution, PowerShell, cmd.exe, scheduled task creation or modification, suspicious task/service naming, Group Policy changes in Active Directory/SYSVOL, Windows Event Log clearing, service stops, security-tool tampering, account access changes, recovery inhibition, file deletion, and destructive file activity. Because several related technique descriptions are broader than Windows, keep validation anchored to the supplied Meteor platform: Windows.
Likely telemetry
- Windows Security, System, Application, PowerShell, WMI-Activity, and Task Scheduler logs
- Endpoint process creation and command-line telemetry for powershell.exe, cmd.exe, schtasks.exe, WMI providers, service-control activity, and native API-backed execution indicators
- Active Directory and Group Policy change auditing, including GPO object changes and SYSVOL policy file modifications
- Service creation, service stop, and service configuration change events
- Endpoint security tool health, tamper, service status, and policy-change events
Detection direction
- Create behavior-focused detections mapped to the related ATT&CK techniques rather than relying on a Meteor-specific signature, since official detection guidance is not provided.
- Correlate execution paths: WMI, PowerShell, Windows command shell, scheduled tasks, and native API activity occurring near discovery, tool transfer, service stopping, or destructive file operations.
- Tune scheduled task and service masquerading analytics against known-good administrative naming patterns; false positives are likely from legitimate IT automation and software deployment tools.
- Alert on Group Policy changes that affect security posture, account access, service behavior, recovery settings, or endpoint tooling, especially when followed by broad endpoint changes.
- Monitor for log clearing and security-tool degradation as high-priority visibility-loss events, not merely cleanup activity.
Mitigation priorities
- Prioritize recoverability: maintain protected, tested backups and recovery mechanisms that cannot be altered through ordinary endpoint or domain-admin paths.
- Harden Active Directory and Group Policy administration with least privilege, change control, monitoring, and rapid rollback procedures.
- Restrict and monitor administrative execution channels such as WMI, PowerShell, Windows command shell, and scheduled task creation where business operations allow.
- Protect endpoint security tools and logging pipelines against tampering, and forward critical logs off-host quickly.
- Implement service and account change governance for critical systems, including alerting on unusual service stops and access-removal events.
Analyst notes and limits
The supplied ATT&CK object identifies Meteor as a Windows wiper and links it to multiple execution, discovery, defense-impairment, stealth, persistence/privilege-escalation, command-and-control, and impact techniques. The strongest defensive takeaway is to validate destructive-intrusion readiness across Windows endpoints and Active Directory, not to assume a single malware indicator will be available or durable.
MITRE provides no official detection section for this object, no aliases, and no object-level tactics. The description includes historical reporting and a likely relationship to Stardust and Comet, but this take does not infer current activity, attribution, or exposure. Some related technique descriptions list non-Windows platforms; because Meteor’s supplied platform is Windows, local validation should focus on Windows unless an organization has separate evidence to expand scope.
Meteor
Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1047 | Windows Management Instrumentation | Meteor can use `wmic.exe` as part of its effort to delete shadow copies.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1489 | Service Stop | Meteor can disconnect all network adapters on a compromised host using `powershell -Command "Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL`.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Meteor has the ability to download additional files for execution on the victim's machine.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | |
| Enterprise | T1685 | Disable or Modify Tools | Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1106 | Native API | Meteor can use `WinAPI` to remove a victim machine from an Active Directory domain.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1491.001 | Internal Defacement Sub-technique | Meteor can change both the desktop wallpaper and the lock screen image to a custom image.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Meteor execution begins from a scheduled task named `Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Meteor can use PowerShell commands to disable the network adapters on a victim machines.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1531 | Account Access Removal | Meteor has the ability to change the password of local users on compromised hosts and can log off users.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1082 | System Information Discovery | Meteor has the ability to discover the hostname of a compromised host.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Meteor can hide its console window upon execution to decrease its visibility to a victim.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Meteor can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1490 | Inhibit System Recovery | Meteor can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete`.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1485 | Data Destruction | Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Meteor will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1057 | Process Discovery | Meteor can check if a specific process is running, such as Kaspersky's `avp.exe`.CitationCheck Point Meteor Aug 2021 |
| Enterprise | T1484.001 | Group Policy Modification Sub-technique | Meteor can use group policy to push a scheduled task from the AD to all network machines.CitationCheck Point Meteor Aug 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 5f26a84253ee… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Check Point Meteor Aug 2021
Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
Open source URL -
[2]
mitre-attack S0688Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.