S0603: Stuxnet

Stuxnet matters because it shows how Windows malware can bridge from enterprise-style compromise into industrial control system manipulation. For leaders, the decision value is not the historical malware name alone; it is the control question it raises: can the organization prove that engineering workstations, removable media paths, remote services, project files, and controller changes are governed and monitored well enough to prevent or investigate unsafe process manipulation?

Executive priority

Treat this as a cyber-physical resilience benchmark. The ATT&CK relationships connect Stuxnet to removable media replication, remote services, project file infection, rootkit behavior, controller program and parameter modification, manipulation of operator view, and manipulation of control. That makes it relevant to business continuity, safety-adjacent operational risk, compliance evidence for change control, and incident response readiness in environments where Windows systems interact with ICS assets.

Technical view

MITRE lists the supported platform as Windows and provides no official detection text for this malware object. SOC and IR teams should therefore validate coverage through the related ICS techniques: removable media use, command-line activity, remote service access, lateral file transfer, common application-layer protocol traffic, masquerading, rootkit or hooking indicators, Siemens project file integrity, and controller-side changes such as program download, tasking changes, parameter changes, I/O image manipulation, and control/view manipulation. Detection should be tested across both Windows engineering hosts and ICS process/control telemetry, because host-only monitoring may miss controller or process effects.

Likely telemetry

Windows endpoint process, command-line, service, driver, file, and removable media events from engineering and operator workstations
Network telemetry for remote services, SMB or other lateral file transfer, common ports, and standard application-layer protocols used in the ICS environment
Engineering workstation and project repository evidence, including Siemens Step 7/WinCC project file access and modification history where applicable
Controller change evidence, including program downloads, online edits, tasking changes, parameter changes, and I/O image or override-related events where available
Process monitoring sources such as OPC tags, historian data, PLC block information, and control network traffic

Detection direction

Do not rely on a single malware signature or Windows alert; the object has no official ATT&CK detection guidance and includes rootkit, masquerading, native API, and hooking-related behaviors that can reduce host visibility.
Validate whether removable media introduction, project file modification, and engineering workstation activity are logged with enough user, host, device, and timestamp context to support an investigation.
Tune remote service and lateral transfer detections against known engineering workflows to reduce false positives while still surfacing unusual source systems, timing, destinations, or file types.
Correlate controller program or parameter changes with approved maintenance windows and change tickets; unexplained downloads or online edits should be high-priority review items.
Compare operator view and historian/process data against independent process or controller evidence where possible, because related techniques include manipulation of view and control.

Mitigation priorities

Prioritize asset inventory and segmentation between enterprise Windows systems, engineering workstations, and control networks.
Govern removable media and contractor/supplier transfer paths with approval, scanning, and logging appropriate to ICS operations.
Harden and monitor remote services and file-sharing paths used for engineering access and lateral movement.
Maintain vulnerability and patch governance for Windows systems and remote services, recognizing the official description notes use of numerous zero-day vulnerabilities historically.
Protect engineering project files and controller logic with version control, integrity checks, backups, and formal change approval.

Analyst notes and limits

This take is based on the official Stuxnet software object S0603 and its supplied relationships to ICS ATT&CK techniques. The most important defensive lesson is cross-domain validation: Windows endpoint evidence, engineering project evidence, network evidence, and controller/process evidence must be reviewable together.

MITRE provides no official detection text, no enterprise tactics for this object, and only Windows as the platform on the supplied software object. Local architecture, controller products, engineering tools, logging maturity, and safety constraints are required to turn this into a precise detection or mitigation plan.

Official MITRE ATT&CK definition

Stuxnet

Stuxnet was the first publicly reported malware to specifically target industrial control systems devices. Stuxnet is a large and complex malware that utilized multiple behaviors, including numerous zero-day vulnerabilities, a sophisticated Windows rootkit, and network infection routines.[1][2][3][4] Stuxnet was discovered in 2010, with some components being used as early as November 2008.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 44 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1016	System Network Configuration Discovery	Stuxnet collects the IP address of a compromised system.[1]
Enterprise	T1082	System Information Discovery	Stuxnet collects system information including computer and domain names, OS version, and S7P paths.[1]
Enterprise	T1132.001	Standard Encoding Sub-technique	Stuxnet transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value.[1]
Enterprise	T1560.003	Archive via Custom Method Sub-technique	Stuxnet encrypts exfiltrated data via C2 with static 31-byte long XOR keys.[1]
Enterprise	T1070.006	Timestomp Sub-technique	Stuxnet extracts and writes driver files that match the times of other legitimate files.[1]
Enterprise	T1129	Shared Modules	Stuxnet calls LoadLibrary then executes exports from a DLL.[1]
Enterprise	T1047	Windows Management Instrumentation	Stuxnet used WMI with an `explorer.exe` token to execute on a remote share.[1]
Enterprise	T1112	Modify Registry	Stuxnet can create registry keys to load driver files.[1]
Enterprise	T1543.003	Windows Service Sub-technique	Stuxnet uses a driver registered as a boot start service as the main load-point.[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Stuxnet decrypts resources that are loaded into memory and executed.[1]
Enterprise	T1070.004	File Deletion Sub-technique	Stuxnet uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files.[1]
Enterprise	T1134.001	Token Impersonation/Theft Sub-technique	Stuxnet attempts to impersonate an anonymous token to enumerate bindings in the service control manager.[1]
Enterprise	T1210	Exploitation of Remote Services	Stuxnet propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities.[1]
Enterprise	T1027.013	Encrypted/Encoded File Sub-technique	Stuxnet uses encrypted configuration blocks and writes encrypted files to disk.[1]
Enterprise	T1091	Replication Through Removable Media	Stuxnet can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability.[1]
Enterprise	T1480	Execution Guardrails	Stuxnet checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met.[1]
Enterprise	T1041	Exfiltration Over C2 Channel	Stuxnet sends compromised victim information via HTTP.[1]
Enterprise	T1070	Indicator Removal	Stuxnet can delete OLE Automation and SQL stored procedures used to store malicious payloads.[1]
Enterprise	T1055.001	Dynamic-link Library Injection Sub-technique	Stuxnet injects an entire DLL into an existing, newly created, or preselected trusted process.[1]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Stuxnet encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. Stuxnet also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant.[1]
Enterprise	T1014	Rootkit	Stuxnet uses a Windows rootkit to mask its binaries and other relevant files.[1]
Enterprise	T1071.001	Web Protocols Sub-technique	Stuxnet uses HTTP to communicate with a command and control server. [1]
Enterprise	T1083	File and Directory Discovery	Stuxnet uses a driver to scan for specific filesystem driver objects.[1]
Enterprise	T1008	Fallback Channels	Stuxnet has the ability to generate new C2 domains.[1]
Enterprise	T1087.002	Domain Account Sub-technique	Stuxnet enumerates user accounts of the domain.[1]
Enterprise	T1120	Peripheral Device Discovery	Stuxnet enumerates removable drives for infection.[1]
Enterprise	T1685	Disable or Modify Tools	Stuxnet reduces the integrity level of objects to allow write actions.[1]
Enterprise	T1068	Exploitation for Privilege Escalation	Stuxnet used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines.[1]
Enterprise	T1078.001	Default Accounts Sub-technique	Stuxnet infected WinCC machines via a hardcoded database server password.[1]
Enterprise	T1518.001	Security Software Discovery Sub-technique	Stuxnet enumerates the currently running processes related to a variety of security products.[1]
Enterprise	T1087.001	Local Account Sub-technique	Stuxnet enumerates user accounts of the local host.[1]
Enterprise	T1021.002	SMB/Windows Admin Shares Sub-technique	Stuxnet propagates to available network shares.[1]
Enterprise	T1012	Query Registry	Stuxnet searches the Registry for indicators of security programs.[1]
Enterprise	T1124	System Time Discovery	Stuxnet collects the time and date of a system when it is infected.[1]
Enterprise	T1553.002	Code Signing Sub-technique	Stuxnet used a digitally signed driver with a compromised Realtek certificate.[1]
Enterprise	T1135	Network Share Discovery	Stuxnet enumerates the directories of a network resource.[1]
Enterprise	T1078.002	Domain Accounts Sub-technique	Stuxnet attempts to access network resources with a domain account’s credentials.[1]
Enterprise	T1106	Native API	Stuxnet uses the SetSecurityDescriptorDacl API to reduce object integrity levels.[1]
Enterprise	T1570	Lateral Tool Transfer	Stuxnet uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network.[1]
Enterprise	T1053.005	Scheduled Task Sub-technique	Stuxnet schedules a network job to execute two minutes after host infection.[1]
Enterprise	T1021	Remote Services	Stuxnet can propagate via peer-to-peer communication and updates using RPC.[1]
Enterprise	T1090.001	Internal Proxy Sub-technique	Stuxnet installs an RPC server for P2P communications.[1]
Enterprise	T1080	Taint Shared Content	Stuxnet infects remote servers via network shares and by infecting WinCC database views with malicious code.[1]
Enterprise	T1505.001	SQL Stored Procedures Sub-technique	Stuxnet used xp_cmdshell to store and execute SQL code.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.5
Created: Dec 14, 2020, 17:34 UTC (UTC+00:00)
Modified: Apr 24, 2026, 02:36 UTC (UTC+00:00)
Raw hash: 74474168243990b4...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.5	Apr 24, 2026, 02:36 UTC (UTC+00:00)	Current bundle	`744741682439…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Nicolas Falliere, Liam O Murchu, Eric Chien February 2011

Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved November 17, 2024.
Open source URL
[2]
CISA ICS Advisory ICSA-10-272-01

CISA. (2010, September 10). ICS Advisory (ICSA-10-272-01). Retrieved December 7, 2020.
Open source URL
[3]
ESET Stuxnet Under the Microscope

Matrosov, A., Rodionov, E., Harley, D., Malcho, J.. (n.d.). Stuxnet Under the Microscope. Retrieved December 7, 2020.
Open source URL
[4]
Langer Stuxnet

Ralph Langner. (2013, November). To Kill a Centrifuge: A Technical Analysis of What Stuxnet's Creators Tried to Achieve. Retrieved December 7, 2020.
Open source URL
[5]
W32.Stuxnet

(Citation: Nicolas Falliere, Liam O Murchu, Eric Chien February 2011)
[6]
mitre-attack S0603
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams