S1034: StrifeWater
StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.[1]
Analyst context for executives and security teams
StrifeWater matters because ATT&CK identifies it as a Windows remote-access tool used in the early stages of Moses Staff activity. For leaders, the practical issue is not the malware name alone, but whether the organization can quickly recognize a compromised Windows host that is performing discovery, collecting local data, maintaining execution through scheduled tasks, transferring tools, and sending data over command-and-control channels.
Executive priority
Prioritize StrifeWater as an incident-readiness and control-validation scenario for Windows environments. It connects directly to business concerns around unauthorized remote access, sensitive data exposure, persistence, and delayed containment. Executives should ask whether SOC and IR teams can prove they collect the endpoint, task scheduler, command shell, file activity, and network evidence needed to reconstruct this behavior and support audit or post-incident decisions.
Technical view
ATT&CK does not provide a dedicated detection section for StrifeWater, so defenders should validate coverage through the mapped behaviors: Windows command shell execution, scheduled task creation or modification, local user/system/file discovery, screen capture, file deletion, tool transfer, native API-driven execution, encrypted C2, and exfiltration over the C2 channel. The malware object is listed for Windows, while several related techniques have broader ATT&CK platform coverage; scope validation should focus first on Windows telemetry for this software object and then expand where local architecture requires it.
Likely telemetry
- Endpoint process creation and command-line logging, especially cmd.exe and child process activity
- Windows Scheduled Task creation, modification, and execution events
- File system telemetry for discovery, staging, deletion, and suspicious placement or naming
- User, host, system information, time, and directory enumeration evidence
- Network connection metadata and proxy/firewall logs for outbound C2-like sessions
Detection direction
- Build detections around behavior chains rather than the StrifeWater name alone: discovery followed by task scheduling, tool transfer, collection, and outbound communication is higher value than any single event.
- Tune Windows scheduled task monitoring for unusual task names, paths, users, timing, and command interpreters, while accounting for legitimate administration and software management activity.
- Correlate command shell execution with local system, user, file, directory, and time discovery to reduce false positives from normal IT operations.
- Review blind spots around file deletion, masquerading through legitimate-looking names or locations, and encrypted C2 traffic where payload inspection is limited.
- Use the Moses Staff relationship as threat-intelligence context, not as proof of attribution in a local incident without supporting evidence.
Mitigation priorities
- Ensure endpoint logging and EDR coverage are enabled on Windows systems that matter most to business operations and sensitive data handling.
- Restrict and monitor scheduled task creation and command shell use, especially for non-administrative users and unusual service contexts.
- Harden egress controls and review outbound traffic visibility so C2 and exfiltration over existing channels can be investigated.
- Apply least privilege and administrative control review to reduce the usefulness of remote-access tooling after initial compromise.
- Prepare IR playbooks that preserve task scheduler, process, file, and network evidence before cleanup, because file deletion is part of the mapped behavior set.
Analyst notes and limits
ATT&CK links StrifeWater to Moses Staff and maps it to techniques spanning execution, persistence, discovery, collection, command and control, exfiltration, and defense evasion/stealth. Because no official detection guidance is provided, the best defensive value comes from validating telemetry and detections for the related techniques in the organization’s Windows environment.
This take is based only on the supplied ATT&CK STIX fields, references, and relationships. It does not assert current activity, customer exposure, specific indicators, malware internals beyond the mapped behaviors, or guaranteed detection. Local baselines are required to distinguish malicious command shell, scheduled task, discovery, and network activity from legitimate administration.
StrifeWater
StrifeWater is a remote-access tool that has been used by Moses Staff in the initial stages of their attacks since at least November 2021.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1033 | System Owner/User Discovery | StrifeWater can collect the user name from the victim's machine.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | StrifeWater can execute shell commands using `cmd.exe`.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1106 | Native API | StrifeWater can use a variety of APIs for execution.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | StrifeWater can encrypt C2 traffic using XOR with a hard coded key.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | StrifeWater has create a scheduled task named `Mozilla\Firefox Default Browser Agent 409046Z0FF4A39CB` for persistence.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1113 | Screen Capture | StrifeWater has the ability to take screen captures.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | StrifeWater has been named `calc.exe` to appear as a legitimate calculator program.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | StrifeWater can modify its sleep time responses from the default of 20-22 seconds.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | StrifeWater can send data and files from a compromised host to its C2 server.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1124 | System Time Discovery | StrifeWater can collect the time zone from the victim's machine.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1082 | System Information Discovery | StrifeWater can collect the OS version, architecture, and machine name to create a unique token for the infected host.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1083 | File and Directory Discovery | StrifeWater can enumerate files on a compromised host.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1005 | Data from Local System | StrifeWater can collect data from a compromised host.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | StrifeWater can download updates and auxiliary modules.CitationCybereason StrifeWater Feb 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | StrifeWater can self delete to cover its tracks.CitationCybereason StrifeWater Feb 2022 |
Groups, software, and campaigns
G1009: Moses Staff
Moses Staff is a suspected Iranian threat group that has primarily targeted Israeli companies since at least September 2021. Moses Staff openly stated their motivation in attacking Israeli companies is to cause damage by leaking stolen sensitive data and encrypting the victim's networks without a ransom demand.[1]
Security researchers assess Moses Staff is politically motivated, and has targeted government, finance, travel, energy, manufacturing, and utility companies outside of Israel as well, including those in Italy, India, Germany, Chile, Turkey, the UAE, and the US.[2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | ed5fcd133398… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cybereason StrifeWater Feb 2022
Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022.
Open source URL -
[2]
mitre-attack S1034Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.