S1017: OutSteel
OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Saint Bear since at least March 2021.[1]
Analyst context for executives and security teams
OutSteel matters because ATT&CK describes it as a Windows AutoIT-based file uploader and document stealer. For leaders, the practical risk is not just malware execution: it is targeted document theft following phishing or user-driven execution, with automated collection and exfiltration behaviors that can affect sensitive files, legal/compliance evidence, and incident containment decisions.
Executive priority
Prioritize OutSteel as a validation case for phishing resilience, Windows endpoint visibility, document data-loss monitoring, and incident response readiness. ATT&CK links it to Saint Bear and to behaviors including spearphishing attachments/links, AutoIT execution, file and process discovery, automated collection, C2 over web protocols, and exfiltration. Executives should ask whether the organization can prove collection-to-exfiltration visibility, not only whether email security blocks an initial lure.
Technical view
For SOC and IR teams, treat this as a Windows-focused malware profile with relationship-driven behaviors across initial access, execution, discovery, collection, command-and-control, lateral transfer, stealth, and exfiltration. Validate visibility for AutoIT/AutoHotKey and Windows command shell execution, user opening malicious files or links, file and directory enumeration, process discovery, file staging or deletion, ingress/lateral file transfer, HTTP/S-like C2, and automated document collection/exfiltration. ATT&CK does not provide an official detection analytic for OutSteel, so coverage should be built from these related techniques and tested against local baselines.
Likely telemetry
- Email security and mail gateway logs for spearphishing attachments and links
- Endpoint process creation telemetry for cmd.exe and AutoIT/AutoHotKey-related execution
- File system telemetry for document enumeration, staging, copying, upload preparation, and deletion
- EDR alerts and host artifacts for unusual process discovery and file/directory discovery
- Network proxy, DNS, firewall, and web telemetry for outbound web-protocol communications
Detection direction
- Because no official ATT&CK detection text is supplied, validate detections at the technique level rather than relying on a named OutSteel signature.
- Correlate phishing delivery or user-click/open events with AutoIT/script execution, command shell activity, rapid file discovery, and outbound web traffic.
- Tune for document-focused enumeration and collection patterns while accounting for legitimate indexing, backup, eDiscovery, and administrative scripts as false-positive sources.
- Review whether encrypted web traffic, unmanaged endpoints, and limited endpoint command-line logging create blind spots for exfiltration over C2 or web protocols.
- Use the Saint Bear relationship as threat-intelligence context for prioritization, but do not treat it as attribution without incident-specific evidence.
Mitigation priorities
- Strengthen email and web controls for malicious attachments and links, including user-reporting workflows and rapid takedown/blocking processes.
- Reduce script abuse exposure on Windows by controlling or monitoring AutoIT/AutoHotKey and command shell execution where business use is limited.
- Ensure EDR and logging capture process creation, command lines, file activity, and outbound network context needed to reconstruct collection and exfiltration.
- Apply least privilege and data access controls so a compromised user context has limited access to sensitive document stores.
- Validate DLP/egress monitoring for unusual document movement and outbound uploads over web protocols.
Analyst notes and limits
This take is based on the ATT&CK S1017 OutSteel software object, its official description, the Palo Alto Unit 42 external reference, and supplied ATT&CK relationships. The relationship set is especially important because the object itself has no tactic list and no official detection guidance.
ATT&CK identifies OutSteel as Windows malware but several related techniques have broader platform lists because they are generic ATT&CK techniques; platform assumptions should therefore remain Windows-focused for this malware. Local telemetry, prevalence, specific indicators, and confirmed targeting must come from the organization’s own evidence and current intelligence.
OutSteel
OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Saint Bear since at least March 2021.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | OutSteel has used `cmd.exe` to scan a compromised host for specific file extensions.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | OutSteel can upload files from a compromised host over its C2 channel.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1566.002 | Spearphishing Link Sub-technique | OutSteel has been distributed through malicious links contained within spearphishing emails.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | OutSteel has relied on a user to click a malicious link within a spearphishing email.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1005 | Data from Local System | OutSteel can collect information from a compromised host.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1020 | Automated Exfiltration | OutSteel can automatically upload collected files to its C2 server.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1059.010 | AutoHotKey & AutoIT Sub-technique | OutSteel was developed using the AutoIT scripting language.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1083 | File and Directory Discovery | OutSteel can search for specific file extensions, including zipped files.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1119 | Automated Collection | OutSteel can automatically scan for and collect files with specific extensions.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | OutSteel has relied on a user to execute a malicious attachment delivered via spearphishing.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | OutSteel has been distributed as a malicious attachment within a spearphishing email.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | OutSteel can delete itself following the successful execution of a follow-on payload.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1570 | Lateral Tool Transfer | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | OutSteel has used HTTP for C2 communications.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | OutSteel can download files from its C2 server.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1057 | Process Discovery | OutSteel can identify running processes on a compromised host.CitationPalo Alto Unit 42 OutSteel SaintBot February 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique |
Groups, software, and campaigns
G1031: Saint Bear
Saint Bear is a Russian-nexus threat actor active since early 2021, primarily targeting entities in Ukraine and Georgia. The group is notable for a specific remote access tool, Saint Bot, and information stealer, OutSteel in campaigns. Saint Bear typically relies on phishing or web staging of malicious documents and related file types for initial access, spoofing government or related entities.[1][2] Saint Bear has previously been confused with Ember Bear operations, but analysis of behaviors, tools, and targeting indicates these are distinct clusters.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 07bdaa10c1bf… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Unit 42 OutSteel SaintBot February 2022
Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022.
Open source URL -
[2]
mitre-attack S1017Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.