S1134: DEADWOOD
Analyst context for executives and security teams
DEADWOOD matters because it is identified by ATT&CK as Windows wiper malware associated with destructive outcomes, including data destruction, disk content wiping, disk structure wiping, and account access removal. For leaders, the practical issue is not only malware detection; it is whether the organization can preserve operations, restore systems, and make fast incident decisions when endpoints or boot structures may be intentionally damaged.
Executive priority
Treat this as an operational resilience and incident readiness concern. The supplied ATT&CK relationships point to impact behaviors that can interrupt system and network availability, so executives should ask whether critical Windows systems have recoverable backups, whether destructive activity would be noticed quickly, whether privileged service/account changes are tightly controlled, and whether IR teams have authority to isolate affected hosts before wiping spreads or recovery evidence is lost.
Technical view
MITRE provides no official detection text for DEADWOOD, so coverage should be validated through the related behaviors: Embedded Payloads, Encrypted/Encoded File, Masquerade Task or Service, System Time Discovery, Deobfuscate/Decode Files or Information, Data Destruction, Account Access Removal, Disk Content Wipe, Disk Structure Wipe, and Windows Service Execution. SOC and IR teams should confirm visibility into Windows process execution, service creation/control, suspicious service naming, decoding or unpacking activity, destructive file and disk writes, boot/partition structure modification attempts, and account deletion/lockout/permission changes.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Windows service creation, modification, and execution events
- Task or service names, display names, descriptions, and parent-child process context
- File creation, overwrite, deletion, and high-volume modification activity
- Raw disk, boot record, partition table, or storage-device write indicators where available
Detection direction
- Do not rely on a DEADWOOD-specific signature alone; MITRE does not provide official detection guidance for this object.
- Prioritize behavior-based analytics around destructive file activity, disk structure/content modification, and account access removal.
- Tune Windows service execution detections for suspicious creation, renaming, masquerading, unusual parent processes, and execution from unexpected paths.
- Correlate obfuscation-related behaviors, such as embedded payloads and encrypted/encoded files, with subsequent decoding and execution activity.
- Account for false positives from legitimate administration, backup, deployment, disk management, and incident response tooling.
Mitigation priorities
- Maintain and regularly test recoverable backups for critical Windows systems, including scenarios where local disks or boot structures are damaged.
- Restrict administrative privileges that can create services, alter accounts, or write to sensitive disk areas.
- Harden monitoring and approval around Windows service creation and privileged account changes.
- Use application control or execution control where appropriate to reduce execution of untrusted binaries and disguised services.
- Prepare wiper-specific IR playbooks that emphasize rapid isolation, evidence preservation, recovery sequencing, and business continuity decisions.
Analyst notes and limits
ATT&CK describes DEADWOOD as C++ wiper malware using Boost libraries, first observed in an unattributed wiping event in Saudi Arabia in 2019, and later incorporated into Agrius operations. The relationship context supplied also states APT33 uses this object. These statements should be treated as ATT&CK context, not proof of current activity in any local environment.
The ATT&CK object has no official detection section and no malware-level tactic list. Local validation is required to determine whether telemetry, controls, backups, and response procedures actually cover the related techniques on Windows systems. This summary does not assert active exploitation or guaranteed detection coverage.
DEADWOOD
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | DEADWOOD deletes files following overwriting them with random data.CitationSentinelOne Agrius 2021 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | DEADWOOD contains an embedded, AES-encrypted payload labeled |
| Enterprise | T1485 | Data Destruction | DEADWOOD overwrites files on victim systems with random data to effectively destroy them.CitationSentinelOne Agrius 2021 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | DEADWOOD will attempt to masquerade its service execution using benign-looking names such as |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | DEADWOOD contains an embedded, AES-encrypted resource named |
| Enterprise | T1569.002 | Service Execution Sub-technique | DEADWOOD can be executed as a service using various names, such as |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DEADWOOD XORs some strings within the binary using the value |
| Enterprise | T1124 | System Time Discovery | DEADWOOD will set a timestamp value to determine when wiping functionality starts. When the timestamp is met on the system, a trigger file is created on the operating system allowing for execution to proceed. If the timestamp is in the past, the wiper will execute immediately.CitationSentinelOne Agrius 2021 |
| Enterprise | T1531 | Account Access Removal | |
| Enterprise | T1561.002 | Disk Structure Wipe Sub-technique |
Groups, software, and campaigns
G0064: APT33
G1030: Agrius
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 88d973d03d7d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne Agrius 2021
Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024.
Open source URL -
[2]
mitre-attack S1134Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.