S1170: ODAgent

ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute payloads and to exfiltrate staged files.[1]

EnterpriseS1170MalwareObject v1.0 Modified Nov 27, 2024, 19:42 UTC (UTC+00:00)

ODAgent is a Windows C#/.NET downloader associated in ATT&CK with OilRig use since at least 2022. Its practical significance is that it is not just a file downloader: the related ATT&CK behaviors show a chain that can download and execute payloads, communicate through legitimate web/cloud services, discover and stage files, delete traces, and exfiltrate data. For leaders, this makes ODAgent relevant to endpoint visibility, cloud-service governance, and incident response readiness around data theft scenarios.

Executive priority

Prioritize ODAgent as a validation case for whether the organization can see and control suspicious Windows downloader behavior that blends with normal web and cloud traffic. Security leaders should ask whether SOC and IR teams can correlate endpoint execution, downloaded payloads, staged-file activity, outbound web-service communication, and cloud-storage exfiltration evidence quickly enough to support containment and audit reporting. The OilRig relationship increases threat-intelligence relevance for sectors and regions matching local risk models, but local exposure should be determined from environment-specific intelligence and telemetry.

Technical view

For Windows environments, validate coverage around C#/.NET process execution, command-shell invocation, ingress tool transfer, file and directory discovery, file deletion, deobfuscation/decoding activity, native API-driven execution behaviors, bidirectional communication through legitimate external web services, and exfiltration over C2 or to cloud storage. Because ATT&CK provides no official detection text for ODAgent, detection engineering should be relationship-driven: combine host process/file telemetry with network, proxy, DNS, and cloud-service access logs rather than relying on a single malware signature.

Likely telemetry

Windows endpoint process creation and parent/child process relationships, especially .NET applications and cmd.exe activity
File creation, staging, modification, deletion, and downloaded payload artifacts on Windows hosts
Endpoint detection telemetry for command execution, native API-related behavior, and decoding/deobfuscation activity
Network, proxy, firewall, and DNS records for outbound communication to external web or cloud services
Cloud access or CASB-style logs for sanctioned and unsanctioned cloud storage usage where available

Detection direction

Correlate Windows downloader execution with subsequent command shell use, payload transfer, file discovery, file deletion, and outbound web/cloud communication.
Tune for legitimate web-service and cloud-storage abuse: the relationship to bidirectional web-service communication and cloud-storage exfiltration means domain reputation alone may be insufficient.
Review false positives from normal .NET business applications, administrator command-shell activity, software updaters, and approved cloud-sync tools.
Validate that SOC playbooks connect endpoint events with proxy/DNS/cloud logs; isolated endpoint alerts may miss the exfiltration or C2 context.
Use the OilRig relationship as threat-intelligence context, not as proof of attribution in an incident without corroborating evidence.

Mitigation priorities

Establish baseline and monitoring for approved cloud services, and restrict or review unsanctioned cloud storage where business-appropriate.
Strengthen endpoint logging and retention for Windows process, file, and network activity so IR can reconstruct downloader and staging behavior.
Apply application control, least privilege, and administrative command-shell governance where feasible to reduce unauthorized execution paths.
Harden egress monitoring and alerting for unusual external web-service communication and data transfer patterns.
Maintain incident response procedures for rapid host isolation, evidence preservation, payload collection, and cloud-access review when downloader behavior is suspected.

Analyst notes and limits

This take is based on the ATT&CK S1170 object, its ESET external reference, and listed relationships to OilRig and techniques including command shell execution, ingress tool transfer, file discovery, file deletion, deobfuscation, web-service C2, and exfiltration to C2 or cloud storage. The main defensive value is using ODAgent as a test case for cross-domain visibility across Windows endpoints, network egress, and cloud-service usage.

ATT&CK does not provide official detection guidance, aliases, labels, or explicit tactics on the ODAgent object. The supplied data supports Windows as the platform and OilRig as a related user, but it does not establish current activity, customer exposure, complete indicators, or guaranteed detection logic. Local telemetry, business cloud usage, and threat-intelligence context are required for prioritization.

Official MITRE ATT&CK definition

ODAgent

ODAgent is a C#/.NET downloader that has been used by OilRig since at least 2022 including against target organizations in Israel to download and execute payloads and to exfiltrate staged files.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 9 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1567.002	Exfiltration to Cloud Storage Sub-technique	ODAgent can use an attacker-controlled OneDrive account for exfiltration.CitationESET OilRig Downloaders DEC 2023
Enterprise	T1102.002	Bidirectional Communication Sub-technique	ODAgent can use the Microsoft Graph API to access an attacker-controlled OneDrive account and retrieve payloads and backdoor commands.CitationESET OilRig Downloaders DEC 2023
Enterprise	T1059.003	Windows Command Shell Sub-technique	ODAgent can execute a specified command line passed via API.CitationESET OilRig Downloaders DEC 2023
Enterprise	T1105	Ingress Tool Transfer	ODAgent has the ability to download and execute files on compromised systems.CitationESET OilRig Downloaders DEC 2023
Enterprise	T1106	Native API	ODAgent can pass commands using native APIs.CitationESET OilRig Downloaders DEC 2023
Enterprise	T1083	File and Directory Discovery	ODAgent can identify the current working directory.CitationESET OilRig Downloaders DEC 2023
Enterprise	T1041	Exfiltration Over C2 Channel	ODAgent can use an attacker-controlled OneDrive account to receive C2 commands and to exfiltrate files.CitationESET OilRig Downloaders DEC 2023
Enterprise	T1070.004	File Deletion Sub-technique	ODAgent can delete payloads and files used to pass C2 commands from remotely hosted cloud accounts.CitationESET OilRig Downloaders DEC 2023
Enterprise	T1140	Deobfuscate/Decode Files or Information	ODAgent can Base64-decode and XOR decrypt received C2 commands.CitationESET OilRig Downloaders DEC 2023

Associated objects

Groups, software, and campaigns

G0049: OilRig

OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Nov 26, 2024, 18:49 UTC (UTC+00:00)
Modified: Nov 27, 2024, 19:42 UTC (UTC+00:00)
Raw hash: e3f73d59adda0898...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	1.0	Nov 27, 2024, 19:42 UTC (UTC+00:00)	Current bundle	`e3f73d59adda…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
ESET OilRig Downloaders DEC 2023

Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
Open source URL
[2]
mitre-attack S1170
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use