S0170: Helminth
Analyst context for executives and security teams
Helminth matters because ATT&CK describes it as a Windows backdoor with both macro-delivered VBScript/PowerShell and standalone executable variants. For leaders, the practical issue is not just one malware family: it represents a pattern where office-document execution, Windows scripting, persistence, credential collection, local discovery, data staging, and web/DNS command-and-control can combine into a longer-running intrusion.
Executive priority
Prioritize Helminth as a coverage validation use case for Windows endpoint resilience, macro/script governance, persistence monitoring, and egress visibility. ATT&CK also links Helminth to OilRig, a group described as targeting sectors including financial, government, energy, chemical, and telecommunications and using trust relationships in supply chain attacks; this should drive questions about third-party access, incident response readiness, and whether audit evidence proves monitoring across endpoint, identity, and network layers.
Technical view
SOC and IR teams should validate detections around the supplied Windows behaviors: Excel macro execution leading to VBScript or PowerShell, command shell activity, scheduled tasks, Run key/startup folder persistence, shortcut modification, process and group discovery, keylogging/clipboard collection indicators, local data staging, tool transfer, and encoded/encrypted web or DNS command-and-control. No official ATT&CK detection text is provided for Helminth, so coverage should be built from the related techniques rather than malware-name matching alone.
Likely telemetry
- Windows process creation telemetry, including parent-child relationships from Excel to script interpreters, PowerShell, cmd, or executables
- PowerShell script block, module, and command-line logging where enabled
- Windows scheduled task creation/modification events
- Registry Run key and startup folder change events
- Shortcut file creation or modification in startup locations
Detection direction
- Do not rely only on Helminth signatures; validate behavior-based detections mapped to the ATT&CK relationships.
- Tune for Office-to-script execution chains, especially Excel spawning VBScript, PowerShell, cmd, or unknown executables, while accounting for legitimate administrative macros.
- Correlate persistence changes with nearby script execution, new binaries, command shell activity, or outbound network connections.
- Review web and DNS egress detections for encoded, encrypted, or unusual beacon-like traffic, recognizing that web/DNS protocols are common and can generate false positives without endpoint context.
- Correlate collection behaviors such as keylogging, clipboard access, automated collection, and local staging with subsequent transfer or exfiltration-size-limit patterns.
Mitigation priorities
- Reduce macro and script execution risk on Windows endpoints, especially for Excel-delivered content.
- Harden and monitor PowerShell, Windows Command Shell, VBScript, scheduled tasks, Run keys, startup folders, and shortcut-based startup locations.
- Apply least privilege and review local/domain group exposure so discovery of privileged groups is less useful to an intruder.
- Strengthen egress controls and monitoring for HTTP/S and DNS command-and-control, including encoded or encrypted traffic where feasible.
- Ensure endpoint controls collect enough process, registry, file, script, and network context to support incident response reconstruction.
Analyst notes and limits
The object’s own ATT&CK tactics are not specified, but many technique relationships are supplied and provide practical detection and mitigation direction. The official description supports Windows, Excel macro delivery, VBScript, PowerShell, and standalone executable variants. The OilRig relationship provides context for prioritization, but local evidence is required before making attribution or exposure claims.
Official Helminth detection guidance is not provided in the supplied ATT&CK fields. The supplied source is a 2016 Palo Alto Networks reference plus ATT&CK relationships; this take does not assert current exploitation, prevalence, customer exposure, or guaranteed detection. Environment-specific logging, control configuration, and business process context are required to determine real coverage.
Helminth
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Helminth has used a scheduled task for persistence.CitationClearSky OilRig Jan 2017 |
| Enterprise | T1553.002 | Code Signing Sub-technique | Helminth samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared.CitationClearSky OilRig Jan 2017 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1547.009 | Shortcut Modification Sub-technique | |
| Enterprise | T1071.004 | DNS Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1056.001 | Keylogging Sub-technique | |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | |
| Enterprise | T1115 | Clipboard Data | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1069.001 | Local Groups Sub-technique | Helminth has checked the local administrators group.CitationUnit 42 Playbook Dec 2017 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands |
| Enterprise | T1119 | Automated Collection | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1030 | Data Transfer Size Limits |
Groups, software, and campaigns
G0049: OilRig
OilRig is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that aligns with nation-state interests.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a128767e59c8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto OilRig May 2016
Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017.
Open source URL -
[2]
Helminth
(Citation: Palo Alto OilRig May 2016)
-
[3]
mitre-attack S0170Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.