S1015: Milan
Analyst context for executives and security teams
Milan is a Windows backdoor implant associated in ATT&CK with HEXANE and based on DanBot. Its decision value is not just the malware name: the mapped behaviors show a post-compromise tool that can discover host, user, account, registry, and network details; execute through Windows shell, Native API, COM, and scheduled tasks; communicate over web and DNS-based channels; transfer tools; stage local data; and remove files. For leaders, this makes Milan relevant to resilience questions around Windows endpoint visibility, command-and-control monitoring, and whether incident responders can reconstruct activity when the implant attempts to blend in or clean up artifacts.
Executive priority
Prioritize Milan as a validation case for Windows endpoint and network detection readiness, especially for organizations where espionage-oriented access to local data, account context, and network configuration would affect business continuity, regulated evidence, or sensitive operations. The associated HEXANE context includes targeting of oil and gas, telecommunications, aviation, and internet service provider organizations in the Middle East and Africa, so sector and regional relevance should influence threat-informed testing and tabletop scenarios. Because ATT&CK provides no official detection text for this object, executives should ask whether coverage is proven through telemetry and detection engineering, not assumed from malware naming alone.
Technical view
SOC and IR teams should validate coverage across the mapped ATT&CK behaviors for a Windows backdoor: registry queries, system/user/account/network discovery, command shell execution, scheduled task creation or modification, COM and Native API execution patterns, masquerading including double file extensions, encrypted or encoded files, file deletion, local data staging, ingress tool transfer, and C2 over web protocols, DNS, DGA-like domain activity, or protocol tunneling. Detection should be behavior-led rather than signature-led because the official object description identifies Milan as a Visual C++ and .NET backdoor implant but provides no detection guidance. Relationship context to HEXANE can support threat-informed prioritization, but local evidence is required before asserting any intrusion or exposure.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and administrative utilities used for discovery or task creation
- Windows Registry access/query events where available
- Scheduled Task creation, modification, and execution logs
- File creation, rename, extension, deletion, and staging-directory activity on endpoints
- EDR telemetry for .NET, Visual C++ binaries, COM interaction, and Native API-heavy execution patterns
Detection direction
- Build detections around behavior chains: discovery followed by scheduled task persistence or command execution, then outbound DNS/web traffic or local data staging.
- Tune for Windows-specific masquerading indicators such as double file extensions, suspicious executable names or locations, and encoded/encrypted file artifacts, while accounting for legitimate software installers and administrative scripts.
- Correlate DNS and web telemetry with endpoint process lineage; DNS or HTTP/S alone may be too common to identify malicious activity reliably.
- Review scheduled task detections for both command-line schtasks usage and non-command-line creation paths, because the mapped techniques include Scheduled Task, COM, Native API, and Windows Command Shell.
- Use relationship-driven context cautiously: Milan is associated with HEXANE in ATT&CK, but detections should not rely solely on group labels, static indicators, or malware family names.
Mitigation priorities
- Start with telemetry assurance: confirm Windows endpoint, scheduled task, file, registry, process, DNS, proxy, and network flow logging are collected and retained long enough for incident response.
- Harden and monitor common execution and persistence surfaces, including command shell use, scheduled tasks, COM-related execution paths, and suspicious native API-driven behavior where controls support it.
- Apply least privilege and administrative access control so discovery and persistence attempts have less operational reach.
- Restrict and monitor outbound network paths, especially unusual DNS behavior, rare web destinations, and protocol tunneling indicators, without assuming all HTTP/S or DNS traffic is benign.
- Strengthen file handling controls and user-facing extension visibility to reduce masquerading risk from double extensions and misleading filenames.
Analyst notes and limits
This take is based on the ATT&CK S1015 Milan malware object, its official description, external references, and the supplied relationships. The strongest defensive value comes from the relationship-mapped behaviors rather than from object-level detection text, which is not provided. Milan is explicitly listed for Windows, so validation should begin with Windows endpoint and network visibility even though some related ATT&CK techniques are multi-platform.
ATT&CK does not provide official detection guidance, aliases, tactics, or labels for this malware object in the supplied fields. The external references are listed but their detailed contents were not provided as fields for expansion. This summary does not assert current activity, customer exposure, or detection coverage; organizations must validate relevance using their own sector, geography, asset inventory, telemetry, and incident evidence.
Milan
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Milan can establish persistence on a targeted host with scheduled tasks.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | Milan has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1071.004 | DNS Sub-technique | Milan has the ability to use DNS for C2 communications.CitationClearSky Siamesekitten August 2021CitationKaspersky Lyceum October 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1082 | System Information Discovery | Milan can enumerate the targeted machine's name and GUID.CitationClearSky Siamesekitten August 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | Milan can run `C:\Windows\system32\cmd.exe /c cmd /c ipconfig /all 2>&1` to discover network settings.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1033 | System Owner/User Discovery | Milan can identify users registered to a targeted machine.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Milan can encode files containing information about the targeted system.CitationClearSky Siamesekitten August 2021CitationKaspersky Lyceum October 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | Milan has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | Milan can use a COM component to generate scheduled tasks.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Milan can use HTTPS for communication with C2.CitationClearSky Siamesekitten August 2021CitationKaspersky Lyceum October 2021CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1012 | Query Registry | Milan can query `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid` to retrieve the machine GUID.CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1036 | Masquerading | Milan has used an executable named `companycatalogue` to appear benign.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1572 | Protocol Tunneling | Milan can use a custom protocol tunneled through DNS or HTTP.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Milan can use `cmd.exe` for discovery actions on a targeted system.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1106 | Native API | Milan can use the API `DnsQuery_A` for DNS resolution.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1005 | Data from Local System | Milan can upload files from a compromised host.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1087.001 | Local Account Sub-technique | Milan has run `C:\Windows\system32\cmd.exe /c cmd /c dir c:\users\ /s 2>&1` to discover local accounts.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | Milan can use hardcoded domains as an input for domain generation algorithms.CitationAccenture Lyceum Targets November 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Milan can delete files via `C:\Windows\system32\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q`.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1036.007 | Double File Extension Sub-technique | Milan has used an executable named `companycatalog.exe.config` to appear benign.CitationClearSky Siamesekitten August 2021 |
Groups, software, and campaigns
G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 05e591065b67… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ClearSky Siamesekitten August 2021
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
Open source URL -
[2]
Kaspersky Lyceum October 2021
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
Open source URL -
[3]
Accenture Lyceum Targets November 2021
Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
Open source URL -
[4]
James
(Citation: Accenture Lyceum Targets November 2021)
-
[5]
mitre-attack S1015Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.