S0688: Meteor

Meteor matters because it is described by ATT&CK as a Windows wiper associated with destructive activity against government and transportation-related organizations. For leaders, the defensive value is not in memorizing the malware name, but in validating whether the organization can detect and recover from the behaviors ATT&CK links to it: scheduled execution, WMI and command-shell use, Group Policy modification, security-tool impairment, log clearing, recovery inhibition, account access removal, defacement, service stopping, and data destruction.

Executive priority

Treat this as a resilience and incident-readiness use case for destructive Windows intrusions. Priority questions are: can critical Windows and Active Directory environments withstand malicious GPO changes, service disruption, account lockout/removal, and recovery inhibition; are backups and recovery paths protected from administrative misuse; and can the SOC still see activity if endpoint tools or Windows logs are tampered with? This object supports tabletop, control validation, and audit evidence around destructive malware preparedness, especially where business continuity or cyber-physical operations depend on Windows systems.

Technical view

ATT&CK provides no official detection text for Meteor, so defenders should build coverage from the related techniques. Prioritize Windows telemetry for WMI execution, PowerShell, cmd.exe, scheduled task creation or modification, suspicious task/service naming, Group Policy changes in Active Directory/SYSVOL, Windows Event Log clearing, service stops, security-tool tampering, account access changes, recovery inhibition, file deletion, and destructive file activity. Because several related technique descriptions are broader than Windows, keep validation anchored to the supplied Meteor platform: Windows.

Likely telemetry

Windows Security, System, Application, PowerShell, WMI-Activity, and Task Scheduler logs
Endpoint process creation and command-line telemetry for powershell.exe, cmd.exe, schtasks.exe, WMI providers, service-control activity, and native API-backed execution indicators
Active Directory and Group Policy change auditing, including GPO object changes and SYSVOL policy file modifications
Service creation, service stop, and service configuration change events
Endpoint security tool health, tamper, service status, and policy-change events

Detection direction

Create behavior-focused detections mapped to the related ATT&CK techniques rather than relying on a Meteor-specific signature, since official detection guidance is not provided.
Correlate execution paths: WMI, PowerShell, Windows command shell, scheduled tasks, and native API activity occurring near discovery, tool transfer, service stopping, or destructive file operations.
Tune scheduled task and service masquerading analytics against known-good administrative naming patterns; false positives are likely from legitimate IT automation and software deployment tools.
Alert on Group Policy changes that affect security posture, account access, service behavior, recovery settings, or endpoint tooling, especially when followed by broad endpoint changes.
Monitor for log clearing and security-tool degradation as high-priority visibility-loss events, not merely cleanup activity.

Mitigation priorities

Prioritize recoverability: maintain protected, tested backups and recovery mechanisms that cannot be altered through ordinary endpoint or domain-admin paths.
Harden Active Directory and Group Policy administration with least privilege, change control, monitoring, and rapid rollback procedures.
Restrict and monitor administrative execution channels such as WMI, PowerShell, Windows command shell, and scheduled task creation where business operations allow.
Protect endpoint security tools and logging pipelines against tampering, and forward critical logs off-host quickly.
Implement service and account change governance for critical systems, including alerting on unusual service stops and access-removal events.

Analyst notes and limits

The supplied ATT&CK object identifies Meteor as a Windows wiper and links it to multiple execution, discovery, defense-impairment, stealth, persistence/privilege-escalation, command-and-control, and impact techniques. The strongest defensive takeaway is to validate destructive-intrusion readiness across Windows endpoints and Active Directory, not to assume a single malware indicator will be available or durable.

MITRE provides no official detection section for this object, no aliases, and no object-level tactics. The description includes historical reporting and a likely relationship to Stardust and Comet, but this take does not infer current activity, attribution, or exposure. Some related technique descriptions list non-Windows platforms; because Meteor’s supplied platform is Windows, local validation should focus on Windows unless an organization has separate evidence to expand scope.

Official MITRE ATT&CK definition

Meteor

Meteor is a wiper that was used against Iranian government organizations, including Iranian Railways, the Ministry of Roads, and Urban Development systems, in July 2021. Meteor is likely a newer version of similar wipers called Stardust and Comet that were reportedly used by a group called "Indra" since at least 2019 against private companies in Syria.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 20 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1047	Windows Management Instrumentation	Meteor can use `wmic.exe` as part of its effort to delete shadow copies.[1]
Enterprise	T1489	Service Stop	Meteor can disconnect all network adapters on a compromised host using `powershell -Command "Get-WmiObject -class Win32_NetworkAdapter \| ForEach { If ($.NetEnabled) { $.Disable() } }" > NUL`.[1]
Enterprise	T1105	Ingress Tool Transfer	Meteor has the ability to download additional files for execution on the victim's machine.[1]
Enterprise	T1036.004	Masquerade Task or Service Sub-technique	Meteor has been disguised as the Windows Power Efficiency Diagnostics report tool.[1]
Enterprise	T1685.005	Clear Windows Event Logs Sub-technique	Meteor can use Wevtutil to remove Security, System and Application Event Viewer logs.[1]
Enterprise	T1685	Disable or Modify Tools	Meteor can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list.[1]
Enterprise	T1106	Native API	Meteor can use `WinAPI` to remove a victim machine from an Active Directory domain.[1]
Enterprise	T1491.001	Internal Defacement Sub-technique	Meteor can change both the desktop wallpaper and the lock screen image to a custom image.[1]
Enterprise	T1053.005	Scheduled Task Sub-technique	Meteor execution begins from a scheduled task named `Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00.[1]
Enterprise	T1059.001	PowerShell Sub-technique	Meteor can use PowerShell commands to disable the network adapters on a victim machines.[1]
Enterprise	T1531	Account Access Removal	Meteor has the ability to change the password of local users on compromised hosts and can log off users.[1]
Enterprise	T1082	System Information Discovery	Meteor has the ability to discover the hostname of a compromised host.[1]
Enterprise	T1564.003	Hidden Window Sub-technique	Meteor can hide its console window upon execution to decrease its visibility to a victim.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Meteor can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts.[1]
Enterprise	T1490	Inhibit System Recovery	Meteor can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\Windows\\system32\\wbem\\wmic.exe shadowcopy delete`.[1]
Enterprise	T1485	Data Destruction	Meteor can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them.[1]
Enterprise	T1518.001	Security Software Discovery Sub-technique	Meteor has the ability to search for Kaspersky Antivirus on a victim's machine.[1]
Enterprise	T1070.004	File Deletion Sub-technique	Meteor will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`.[1]
Enterprise	T1057	Process Discovery	Meteor can check if a specific process is running, such as Kaspersky's `avp.exe`.[1]
Enterprise	T1484.001	Group Policy Modification Sub-technique	Meteor can use group policy to push a scheduled task from the AD to all network machines.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.0
Created: Mar 7, 2022, 19:08 UTC (UTC+00:00)
Modified: Apr 16, 2025, 20:38 UTC (UTC+00:00)
Raw hash: 5f26a84253eefb8e...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.0	Apr 16, 2025, 20:38 UTC (UTC+00:00)	Current bundle	`5f26a84253ee…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Check Point Meteor Aug 2021

Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022.
Open source URL
[2]
mitre-attack S0688
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams