S0582: LookBack
Analyst context for executives and security teams
LookBack matters because ATT&CK describes it as a Windows remote access trojan used against at least three U.S. utility companies in July 2019. For security leaders, the key decision value is not just the malware name; it is the combination of remote access, discovery, persistence, command-and-control, screen capture, and service disruption behaviors that can affect operational resilience, especially in utility or cyber-physical environments.
Executive priority
Prioritize validation of Windows endpoint visibility, egress monitoring, and incident response readiness for remote access malware behaviors. Utilities and organizations with operational dependencies should ask whether SOC teams can prove coverage for command shell execution, persistence through Run keys/startup folders, unusual web or non-application-layer communications, service stops, and shutdown/reboot activity. Because ATT&CK provides no official detection guidance for this object, assurance should come from local telemetry tests, control evidence, and response playbooks rather than assumptions based on the malware family name.
Technical view
LookBack is documented as Windows malware and is related to techniques spanning execution, discovery, persistence, stealth, collection, command-and-control, and impact. SOC and IR teams should validate behavior-based detections around Windows Command Shell and Visual Basic execution, process/service/file discovery, Registry Run keys or startup folder persistence, DLL abuse, file deletion, decoding/deobfuscation activity, screen capture, encrypted or web-based C2 patterns, non-application-layer protocol use, service stop, and shutdown/reboot events. Detection engineering should map alerts to the related ATT&CK techniques rather than relying on a single malware signature.
Likely telemetry
- Windows endpoint process creation and command-line logs
- Registry modification events, especially Run keys and startup folder changes
- File creation, deletion, rename, and directory enumeration activity
- DLL load and suspicious library path telemetry where available
- Windows service query, stop, and configuration events
Detection direction
- Build coverage around the related behaviors: T1059.003, T1059.005, T1007, T1057, T1083, T1547.001, T1574.001, T1070.004, T1140, T1113, T1071.001, T1095, T1573.001, T1489, and T1529.
- Tune discovery detections to distinguish normal administration from unusual service, process, and file enumeration, especially when followed by persistence or outbound communication.
- Correlate Run key/startup folder changes and DLL abuse with the initiating process, user context, parent process, and subsequent network activity.
- Review egress monitoring for web-protocol C2 patterns and unusual non-application-layer communications, while accounting for encrypted traffic visibility limits.
- Treat service stop and shutdown/reboot alerts as higher priority when they occur on operationally important Windows systems or during an active investigation.
Mitigation priorities
- Maintain strong Windows endpoint logging and centralized retention before relying on malware-specific detections.
- Harden persistence paths by monitoring and controlling Registry Run keys, startup folders, and DLL search/load behavior where feasible.
- Restrict and monitor script and command shell usage according to administrative need.
- Apply least privilege so user-context persistence and service control require appropriate authorization.
- Segment and monitor outbound network paths, especially from systems with operational or utility relevance.
Analyst notes and limits
The supplied ATT&CK object identifies LookBack as a C++ remote access trojan used against at least three U.S. utility companies in July 2019 and notes TALONITE has been observed using it. The strongest defensive value comes from the relationship context: LookBack is associated with execution, discovery, persistence, stealth, C2, collection, and impact techniques. This supports behavior-based control validation and SOC use-case development.
ATT&CK provides no official detection text, no aliases, and no tactic list directly on the malware object. External references are listed, but no indicators, hashes, infrastructure, or detailed procedure examples were supplied here. Local environment telemetry, asset criticality, and approved administrative baselines are required to determine actual exposure and detection quality.
LookBack
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1489 | Service Stop | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | |
| Enterprise | T1007 | System Service Discovery | |
| Enterprise | T1057 | Process Discovery | |
| Enterprise | T1529 | System Shutdown/Reboot | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1113 | Screen Capture | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | |
| Enterprise | T1070.004 | File Deletion Sub-technique | |
| Enterprise | T1095 | Non-Application Layer Protocol | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | |
| Enterprise | T1574.001 | DLL Sub-technique |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 45ea0dd53c11… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Proofpoint LookBack Malware Aug 2019
Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021.
Open source URL -
[2]
Dragos TALONITE
Dragos. (null). TALONITE. Retrieved February 25, 2021.
Open source URL -
[3]
Dragos Threat Report 2020
Dragos. (n.d.). ICS Cybersecurity Year in Review 2020. Retrieved February 25, 2021.
Open source URL -
[4]
LookBack
(Citation: Proofpoint LookBack Malware Aug 2019)
-
[5]
mitre-attack S0582Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.