S1171: OilCheck
Analyst context for executives and security teams
OilCheck matters because it shows how a Windows downloader can blend command-and-control into normal-looking cloud/email activity. The key business issue is not just malware execution; it is whether the organization can distinguish legitimate shared email or web-service use from adversary-controlled draft-message communication, follow-on tool transfer, and possible data movement.
Executive priority
Prioritize this as a resilience and visibility question for environments where Windows endpoints, shared email accounts, and allowed web services are common. Leaders should ask whether SOC, incident response, identity, and cloud/email teams can jointly investigate suspicious use of shared accounts, unusual draft activity, web-service C2 patterns, inbound tool downloads, and exfiltration over approved services. It is also relevant to third-party and sector-risk discussions because ATT&CK links OilCheck to OilRig, a group described as targeting multiple sectors and leveraging trust relationships.
Technical view
OilCheck is described by ATT&CK as a C#/.NET Windows downloader used by OilRig since at least 2022, with C2 communication through draft messages in a shared email account. Relationship context maps it to Bidirectional Communication over web services, Ingress Tool Transfer, and Exfiltration Over Web Service. SOC and IR teams should validate whether endpoint, email/cloud, proxy, DNS, and identity telemetry can correlate .NET process activity on Windows with unusual authenticated access to shared mailboxes or web services, file downloads from external services, and outbound data transfer patterns. No official ATT&CK detection text is provided, so detections should be built from local telemetry and the mapped technique behaviors rather than from a MITRE-provided analytic.
Likely telemetry
- Windows endpoint process, command-line, module/.NET runtime, file creation, and network connection events
- Email and cloud-service audit logs for shared mailbox access, draft creation/modification, authentication source, and session context
- Proxy, firewall, DNS, and TLS metadata for web-service communication from endpoints
- EDR alerts or traces for downloader behavior and externally retrieved files
- Identity logs for shared account use, anomalous sign-in patterns, and impossible or unusual access context
Detection direction
- Validate coverage for shared email account activity, especially unusual draft-message creation or modification patterns tied to endpoint activity.
- Correlate Windows .NET process behavior with outbound web-service communication and subsequent file creation or execution.
- Tune for legitimate business use of shared mailboxes and approved web services to reduce false positives; the behavior may hide inside expected services.
- Look for sequences: suspicious cloud/email access, bidirectional communication, ingress tool transfer, and possible exfiltration over web services.
- Check blind spots where TLS inspection is limited, cloud/email audit logging is disabled, shared accounts lack accountability, or endpoint telemetry cannot identify parent-child process relationships.
Mitigation priorities
- Strengthen governance of shared email accounts: ownership, least privilege, MFA where applicable, logging, and periodic access review.
- Ensure cloud/email audit logs are enabled, retained, and integrated into SOC workflows alongside endpoint and network telemetry.
- Restrict and monitor unnecessary web-service access from endpoints, while preserving business-approved use cases.
- Harden Windows endpoints against unauthorized downloader execution through application control, EDR coverage, and least-privilege user configuration.
- Improve egress monitoring for file downloads and uploads over legitimate web services, including alerting on unusual destinations, volumes, or timing.
Analyst notes and limits
ATT&CK provides a concise software description, one external ESET reference, Windows as the platform, and relationships to C2, tool transfer, and exfiltration techniques. The strongest defensive value is validating cross-domain visibility: endpoint plus shared mailbox/cloud-service plus egress telemetry. The OilRig relationship is useful for threat intelligence enrichment and prioritization, but local evidence is required for attribution.
Official ATT&CK detection guidance is not provided, and the object does not list tactics directly. The summary should not be read as proof of current activity, customer exposure, or guaranteed detectability. Specific indicators, email provider details, and environment-specific baselines must come from local telemetry or the cited external reporting.
OilCheck
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1567 | Exfiltration Over Web Service | OilCheck can upload documents from compromised hosts to a shared Microsoft Office 365 Outlook email account for exfiltration.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1105 | Ingress Tool Transfer | OilCheck can download staged payloads from an actor-controlled infrastructure.CitationESET OilRig Downloaders DEC 2023 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | OilCheck can use a REST-based Microsoft Graph API to access draft messages in a shared Microsoft Office 365 Outlook email account used for C2 communication.CitationESET OilRig Downloaders DEC 2023 |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | ea37c56cbc11… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET OilRig Downloaders DEC 2023
Hromcova, Z. and Burgher, A. (2023, December 14). OilRig’s persistent attacks using cloud service-powered downloaders. Retrieved November 26, 2024.
Open source URL -
[2]
mitre-attack S1171Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.