S1132: IPsec Helper
IPsec Helper is a post-exploitation remote access tool linked to Agrius operations. This malware shares significant programming and functional overlaps with Apostle ransomware, also linked to Agrius. IPsec Helper provides basic remote access tool functionality such as uploading files from victim systems, running commands, and deploying additional payloads.[1]
Analyst context for executives and security teams
IPsec Helper matters because it represents post-exploitation remote access on Windows: command execution, file upload from victim systems, and deployment of additional payloads. For leaders, the key issue is not the tool name alone but whether the organization can quickly prove what a compromised Windows host executed, what data was accessed or moved, and whether cleanup activity removed evidence before responders arrived.
Executive priority
Prioritize this as an incident-readiness and telemetry validation problem. The supplied ATT&CK relationships connect IPsec Helper to execution via PowerShell, Windows command shell, Visual Basic, and services; data collection and exfiltration over command-and-control; registry modification; file deletion; and lateral tool transfer. Executives should ask whether SOC and IR teams have sufficient Windows endpoint, command-line, registry, service, file, and network evidence to reconstruct activity and support containment, legal/audit reporting, and business continuity decisions.
Technical view
For SOC, detection engineering, and IR teams, validate coverage around Windows post-exploitation behavior rather than relying on a malware-specific signature. ATT&CK provides no official detection text for S1132, so detection should be built from the related behaviors: suspicious PowerShell/cmd/VB execution, service-based payload execution, registry changes, local data access, file deletion or persistence cleanup, lateral file transfer, and web-protocol command-and-control with possible exfiltration over the same channel. Because the malware is described as capable of running commands and deploying additional payloads, responders should correlate process trees, command lines, service creation or modification, file writes/deletes, registry modifications, and outbound web traffic from the same host and timeframe.
Likely telemetry
- Windows endpoint process creation and command-line logging
- PowerShell execution and script block/module logging where available
- Windows service creation, modification, and execution events
- Registry modification telemetry
- File creation, upload/staging, transfer, and deletion events
Detection direction
- Do not depend on the IPsec Helper name; validate behavior-based detections mapped to the supplied ATT&CK relationships.
- Correlate command interpreters, service execution, registry modification, and file deletion on the same Windows host to reduce false positives from legitimate administration.
- Tune PowerShell and cmd detections against known administrative baselines, but preserve visibility into unusual parent-child process chains and remote or service-driven execution.
- Review outbound web traffic from hosts showing execution or file-staging behavior, especially where data movement may occur over the same channel as command-and-control.
- Account for anti-analysis or time-based checks by ensuring sandbox results are not the only validation method.
Mitigation priorities
- Ensure Windows endpoints have centralized logging for process, PowerShell, service, registry, file, and network-relevant activity before an incident occurs.
- Harden and monitor administrative execution paths such as PowerShell, cmd, Visual Basic usage, and Windows service control mechanisms according to organizational policy.
- Restrict unnecessary lateral file transfer paths and monitor internal file movement between systems.
- Apply least privilege to limit who can modify services, registry keys, and sensitive local data stores.
- Maintain incident response playbooks that preserve evidence before cleanup, especially when file deletion or persistence removal is suspected.
Analyst notes and limits
MITRE describes IPsec Helper as a Windows post-exploitation remote access tool linked to Agrius operations and functionally overlapping with Apostle ransomware. This take uses only the supplied ATT&CK description, external reference, and relationship context; it frames the object as a defensive validation priority rather than asserting current activity or exposure.
ATT&CK provides no official detection guidance for this object, and tactics are not specified on the malware object itself. The related techniques supply useful behavioral context, but local environment telemetry, asset criticality, administrative baselines, and incident evidence are required to determine actual risk and detection coverage.
IPsec Helper
IPsec Helper is a post-exploitation remote access tool linked to Agrius operations. This malware shares significant programming and functional overlaps with Apostle ransomware, also linked to Agrius. IPsec Helper provides basic remote access tool functionality such as uploading files from victim systems, running commands, and deploying additional payloads.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1070 | Indicator Removal | IPsec Helper can delete various registry keys related to its execution and use.CitationSentinelOne Agrius 2021 |
| Enterprise | T1570 | Lateral Tool Transfer | IPsec Helper can download additional payloads from command and control nodes and execute them.CitationSentinelOne Agrius 2021 |
| Enterprise | T1057 | Process Discovery | IPsec Helper can identify the process it is currently running under and its number, and pass this back to a command and control node.CitationSentinelOne Agrius 2021 |
| Enterprise | T1070.009 | Clear Persistence Sub-technique | IPsec Helper can delete various service traces related to persistent execution when commanded.CitationSentinelOne Agrius 2021 |
| Enterprise | T1112 | Modify Registry | IPsec Helper can make arbitrary changes to registry keys based on provided input.CitationSentinelOne Agrius 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | IPsec Helper contains an embedded XML configuration file with an encrypted list of command and control servers. These are written to an external configuration file during execution.CitationSentinelOne Agrius 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | IPsec Helper can run arbitrary PowerShell commands passed to it.CitationSentinelOne Agrius 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | IPsec Helper can run arbitrary Visual Basic scripts and commands passed to it.CitationSentinelOne Agrius 2021 |
| Enterprise | T1005 | Data from Local System | IPsec Helper can identify specific files and folders for follow-on exfiltration.CitationSentinelOne Agrius 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | IPsec Helper can run arbitrary commands passed to it through |
| Enterprise | T1497.003 | Time Based Checks Sub-technique | IPsec Helper will sleep for a random number of seconds, iterating 200 times over sleeps between one to three seconds, before continuing execution flow.CitationSentinelOne Agrius 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | IPsec Helper connects to command and control servers via HTTP POST requests based on parameters hard-coded into the malware.CitationSentinelOne Agrius 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | IPsec Helper exfiltrates specific files through its command and control framework.CitationSentinelOne Agrius 2021 |
| Enterprise | T1569.002 | Service Execution Sub-technique | IPsec Helper is run as a Windows service in victim environments.CitationSentinelOne Agrius 2021 |
| Enterprise | T1070.004 | File Deletion Sub-technique | IPsec Helper can delete itself when given the appropriate command.CitationSentinelOne Agrius 2021 |
Groups, software, and campaigns
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | dc8c5660ea2a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne Agrius 2021
Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
Open source URL -
[2]
mitre-attack S1132Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.