S1065: Woody RAT
Analyst context for executives and security teams
Woody RAT is a Windows remote access trojan documented by ATT&CK as used since at least August 2021 against Russian organizations. Its ATT&CK relationships matter because they describe a full post-compromise pattern: execution through user/client-side paths, host and account discovery, registry and software inspection, process injection/hollowing for stealth, local data collection, screen capture, tool transfer, web-based command-and-control, and exfiltration over that C2 channel. For leaders, this is less about one malware name and more about whether Windows endpoint, network, and response capabilities can see and contain a RAT that blends discovery, collection, and C2 behavior.
Executive priority
Treat this as a coverage-validation use case for Windows RAT defense. Priority questions: can the organization prove it collects the endpoint, PowerShell/cmd, process, registry, file, and web traffic evidence needed to investigate a remote access compromise; can incident responders quickly determine what data was accessed or exfiltrated; and are client application exposure, malicious-file handling, and egress controls managed as part of resilience and audit evidence? Because ATT&CK provides no detection text for Woody RAT, local telemetry and control validation are decisive.
Technical view
SOC and IR teams should validate coverage around the related ATT&CK behaviors rather than relying on a malware-specific signature. On Windows systems, look for suspicious PowerShell or Windows Command Shell execution, registry queries, user/account/software/network/process discovery, file and directory enumeration, screen capture activity, creation or transfer of tools/files, file deletion, encoded or decoded artifacts, process injection or process hollowing indicators, and outbound HTTP/S or similar web-protocol C2 followed by possible exfiltration over the same channel. Correlate these behaviors into sequences: initial execution via malicious file or client exploitation, discovery, stealth/process manipulation, collection, C2, and exfiltration.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- PowerShell execution and script block/module logging where available
- Windows registry access/query telemetry
- File creation, modification, deletion, and directory enumeration evidence
- Endpoint detection telemetry for process injection and process hollowing behaviors
Detection direction
- Build detections around behavior chains, not only the Woody RAT name: execution plus discovery plus C2/exfiltration is higher-confidence than any single administrative command.
- Tune for Windows command shell and PowerShell misuse, while accounting for legitimate administration and software management activity.
- Validate visibility into registry queries, account/user discovery, process discovery, software discovery, file/directory discovery, and network configuration or Internet connectivity checks.
- Prioritize alerting and hunt logic for process injection and process hollowing, since these behaviors can hide malicious execution under legitimate process names.
- Correlate outbound web-protocol traffic with unusual process lineage, newly created binaries, encoded/decoded artifacts, or post-execution discovery activity.
Mitigation priorities
- Harden Windows execution paths first: reduce exposure to malicious files, keep client applications patched, and control script interpreter use where operationally feasible.
- Improve endpoint prevention and visibility for process injection, process hollowing, suspicious child processes, registry access, and tool transfer.
- Apply least privilege and access control so account discovery and local data collection yield less operationally sensitive information.
- Strengthen egress governance for web-protocol traffic with proxy logging, DNS visibility, and review of unusual outbound destinations or processes.
- Prepare IR playbooks for RAT intrusions that include host isolation, memory/filesystem triage, account review, data-access scoping, and C2/exfiltration assessment.
Analyst notes and limits
The supplied ATT&CK object is a malware entry for Woody RAT, external ID S1065, platform Windows, with Malwarebytes as the cited external reporting source. ATT&CK does not specify tactics directly on the malware object, but the relationship context maps it to execution, discovery, collection, stealth, privilege-escalation, command-and-control, and exfiltration techniques. No attribution should be inferred from the supplied fields.
Official detection guidance is not provided. The object states historical use against Russian organizations, but the supplied data does not support claims about current activity, affected customers, specific indicators, infrastructure, vulnerabilities, or guaranteed detection coverage. Local environment telemetry, baselines, and incident evidence are required to determine exposure and coverage.
Woody RAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1083 | File and Directory Discovery | Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1033 | System Owner/User Discovery | Woody RAT can retrieve a list of user accounts and usernames from an infected machine.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Woody RAT can execute commands using `cmd.exe`.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1055.012 | Process Hollowing Sub-technique | Woody RAT can create a suspended notepad process and write shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1082 | System Information Discovery | Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, and environment variables.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Woody RAT can execute PowerShell commands and scripts with the use of .NET DLL, `WoodyPowerSession`.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | Woody RAT can exfiltrate files from an infected machine to its C2 server.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1057 | Process Discovery | Woody RAT can call `NtQuerySystemProcessInformation` with `SystemProcessInformation` to enumerate all running processes, including associated information such as PID, parent PID, image name, and owner.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Woody RAT has used Base64 encoded strings and scripts.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1680 | Local Storage Discovery | Woody RAT can retrieve information about storage drives from an infected machine.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Woody RAT can detect Avast Software, Doctor Web, Kaspersky, AVG, ESET, and Sophos antivirus programs.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1087 | Account Discovery | Woody RAT can identify administrator accounts on an infected machine.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1005 | Data from Local System | Woody RAT can collect information from a compromised host.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1113 | Screen Capture | Woody RAT has the ability to take a screenshot of the infected host desktop using Windows GDI+.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Woody RAT can deobfuscate Base64-encoded strings and scripts.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | Woody RAT can download files from its C2 server, including the .NET DLLs, `WoodySharpExecutor` and `WoodyPowerSession`.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Woody RAT can use RSA-4096 to encrypt data sent to its C2 server.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Woody RAT has the ability to delete itself from disk by creating a suspended notepad process and writing shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1055 | Process Injection | Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Woody RAT can communicate with its C2 server using HTTP requests.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Woody RAT has been delivered via malicious Word documents and archive files.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | Woody RAT can make `Ping` GET HTTP requests to its C2 server at regular intervals for network connectivity checks.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Woody RAT has relied on users opening a malicious email attachment for execution.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1106 | Native API | Woody RAT can use multiple native APIs, including `WriteProcessMemory`, `CreateProcess`, and `CreateRemoteThread` for process injection.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1685 | Disable or Modify Tools | Woody RAT has suppressed all error reporting by calling `SetErrorMode` with 0x8007 as a parameter.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1016 | System Network Configuration Discovery | Woody RAT can retrieve network interface and proxy information.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1203 | Exploitation for Client Execution | Woody RAT has relied on CVE-2022-30190 (Follina) for execution during delivery.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1012 | Query Registry | Woody RAT can search registry keys to identify antivirus programs on an compromised host.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1518 | Software Discovery | Woody RAT can collect .NET, PowerShell, and Python information from an infected host.CitationMalwareBytes WoodyRAT Aug 2022 |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Woody RAT can use AES-CBC to encrypt data sent to its C2 server.CitationMalwareBytes WoodyRAT Aug 2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 52e93b2e54c7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
MalwareBytes WoodyRAT Aug 2022
MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
Open source URL -
[2]
mitre-attack S1065Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.