S1065: Woody RAT

Woody RAT is a Windows remote access trojan documented by ATT&CK as used since at least August 2021 against Russian organizations. Its ATT&CK relationships matter because they describe a full post-compromise pattern: execution through user/client-side paths, host and account discovery, registry and software inspection, process injection/hollowing for stealth, local data collection, screen capture, tool transfer, web-based command-and-control, and exfiltration over that C2 channel. For leaders, this is less about one malware name and more about whether Windows endpoint, network, and response capabilities can see and contain a RAT that blends discovery, collection, and C2 behavior.

Executive priority

Treat this as a coverage-validation use case for Windows RAT defense. Priority questions: can the organization prove it collects the endpoint, PowerShell/cmd, process, registry, file, and web traffic evidence needed to investigate a remote access compromise; can incident responders quickly determine what data was accessed or exfiltrated; and are client application exposure, malicious-file handling, and egress controls managed as part of resilience and audit evidence? Because ATT&CK provides no detection text for Woody RAT, local telemetry and control validation are decisive.

Technical view

SOC and IR teams should validate coverage around the related ATT&CK behaviors rather than relying on a malware-specific signature. On Windows systems, look for suspicious PowerShell or Windows Command Shell execution, registry queries, user/account/software/network/process discovery, file and directory enumeration, screen capture activity, creation or transfer of tools/files, file deletion, encoded or decoded artifacts, process injection or process hollowing indicators, and outbound HTTP/S or similar web-protocol C2 followed by possible exfiltration over the same channel. Correlate these behaviors into sequences: initial execution via malicious file or client exploitation, discovery, stealth/process manipulation, collection, C2, and exfiltration.

Likely telemetry

Windows endpoint process creation and command-line telemetry
PowerShell execution and script block/module logging where available
Windows registry access/query telemetry
File creation, modification, deletion, and directory enumeration evidence
Endpoint detection telemetry for process injection and process hollowing behaviors

Detection direction

Build detections around behavior chains, not only the Woody RAT name: execution plus discovery plus C2/exfiltration is higher-confidence than any single administrative command.
Tune for Windows command shell and PowerShell misuse, while accounting for legitimate administration and software management activity.
Validate visibility into registry queries, account/user discovery, process discovery, software discovery, file/directory discovery, and network configuration or Internet connectivity checks.
Prioritize alerting and hunt logic for process injection and process hollowing, since these behaviors can hide malicious execution under legitimate process names.
Correlate outbound web-protocol traffic with unusual process lineage, newly created binaries, encoded/decoded artifacts, or post-execution discovery activity.

Mitigation priorities

Harden Windows execution paths first: reduce exposure to malicious files, keep client applications patched, and control script interpreter use where operationally feasible.
Improve endpoint prevention and visibility for process injection, process hollowing, suspicious child processes, registry access, and tool transfer.
Apply least privilege and access control so account discovery and local data collection yield less operationally sensitive information.
Strengthen egress governance for web-protocol traffic with proxy logging, DNS visibility, and review of unusual outbound destinations or processes.
Prepare IR playbooks for RAT intrusions that include host isolation, memory/filesystem triage, account review, data-access scoping, and C2/exfiltration assessment.

Analyst notes and limits

The supplied ATT&CK object is a malware entry for Woody RAT, external ID S1065, platform Windows, with Malwarebytes as the cited external reporting source. ATT&CK does not specify tactics directly on the malware object, but the relationship context maps it to execution, discovery, collection, stealth, privilege-escalation, command-and-control, and exfiltration techniques. No attribution should be inferred from the supplied fields.

Official detection guidance is not provided. The object states historical use against Russian organizations, but the supplied data does not support claims about current activity, affected customers, specific indicators, infrastructure, vulnerabilities, or guaranteed detection coverage. Local environment telemetry, baselines, and incident evidence are required to determine exposure and coverage.

Official MITRE ATT&CK definition

Woody RAT

Woody RAT is a remote access trojan (RAT) that has been used since at least August 2021 against Russian organizations.[1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 30 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1083	File and Directory Discovery	Woody RAT can list all files and their associated attributes, including filename, type, owner, creation time, last access time, last write time, size, and permissions.[1]
Enterprise	T1033	System Owner/User Discovery	Woody RAT can retrieve a list of user accounts and usernames from an infected machine.[1]
Enterprise	T1059.003	Windows Command Shell Sub-technique	Woody RAT can execute commands using `cmd.exe`.[1]
Enterprise	T1055.012	Process Hollowing Sub-technique	Woody RAT can create a suspended notepad process and write shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.[1]
Enterprise	T1082	System Information Discovery	Woody RAT can retrieve the following information from an infected machine: OS, architecture, computer name, OS build version, and environment variables.[1]
Enterprise	T1059.001	PowerShell Sub-technique	Woody RAT can execute PowerShell commands and scripts with the use of .NET DLL, `WoodyPowerSession`.[1]
Enterprise	T1041	Exfiltration Over C2 Channel	Woody RAT can exfiltrate files from an infected machine to its C2 server.[1]
Enterprise	T1057	Process Discovery	Woody RAT can call `NtQuerySystemProcessInformation` with `SystemProcessInformation` to enumerate all running processes, including associated information such as PID, parent PID, image name, and owner.[1]
Enterprise	T1027.013	Encrypted/Encoded File Sub-technique	Woody RAT has used Base64 encoded strings and scripts.[1]
Enterprise	T1680	Local Storage Discovery	Woody RAT can retrieve information about storage drives from an infected machine.[1]
Enterprise	T1518.001	Security Software Discovery Sub-technique	Woody RAT can detect Avast Software, Doctor Web, Kaspersky, AVG, ESET, and Sophos antivirus programs.[1]
Enterprise	T1087	Account Discovery	Woody RAT can identify administrator accounts on an infected machine.[1]
Enterprise	T1005	Data from Local System	Woody RAT can collect information from a compromised host.[1]
Enterprise	T1113	Screen Capture	Woody RAT has the ability to take a screenshot of the infected host desktop using Windows GDI+.[1]
Enterprise	T1140	Deobfuscate/Decode Files or Information	Woody RAT can deobfuscate Base64-encoded strings and scripts.[1]
Enterprise	T1105	Ingress Tool Transfer	Woody RAT can download files from its C2 server, including the .NET DLLs, `WoodySharpExecutor` and `WoodyPowerSession`.[1]
Enterprise	T1573.002	Asymmetric Cryptography Sub-technique	Woody RAT can use RSA-4096 to encrypt data sent to its C2 server.[1]
Enterprise	T1070.004	File Deletion Sub-technique	Woody RAT has the ability to delete itself from disk by creating a suspended notepad process and writing shellcode to delete a file into the suspended process using `NtWriteVirtualMemory`.[1]
Enterprise	T1055	Process Injection	Woody RAT can inject code into a targeted process by writing to the remote memory of an infected system and then create a remote thread.[1]
Enterprise	T1071.001	Web Protocols Sub-technique	Woody RAT can communicate with its C2 server using HTTP requests.[1]
Enterprise	T1566.001	Spearphishing Attachment Sub-technique	Woody RAT has been delivered via malicious Word documents and archive files.[1]
Enterprise	T1016.001	Internet Connection Discovery Sub-technique	Woody RAT can make `Ping` GET HTTP requests to its C2 server at regular intervals for network connectivity checks.[1]
Enterprise	T1204.002	Malicious File Sub-technique	Woody RAT has relied on users opening a malicious email attachment for execution.[1]
Enterprise	T1106	Native API	Woody RAT can use multiple native APIs, including `WriteProcessMemory`, `CreateProcess`, and `CreateRemoteThread` for process injection.[1]
Enterprise	T1685	Disable or Modify Tools	Woody RAT has suppressed all error reporting by calling `SetErrorMode` with 0x8007 as a parameter.[1]
Enterprise	T1016	System Network Configuration Discovery	Woody RAT can retrieve network interface and proxy information.[1]
Enterprise	T1203	Exploitation for Client Execution	Woody RAT has relied on CVE-2022-30190 (Follina) for execution during delivery.[1]
Enterprise	T1012	Query Registry	Woody RAT can search registry keys to identify antivirus programs on an compromised host.[1]
Enterprise	T1518	Software Discovery	Woody RAT can collect .NET, PowerShell, and Python information from an infected host.[1]
Enterprise	T1573.001	Symmetric Cryptography Sub-technique	Woody RAT can use AES-CBC to encrypt data sent to its C2 server.[1]

Relationship explorer

All related ATT&CK context

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 1.2
Created: Feb 14, 2023, 16:52 UTC (UTC+00:00)
Modified: Oct 21, 2025, 03:29 UTC (UTC+00:00)
Raw hash: 52e93b2e54c7c9b0...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	Jun 3, 2026, 07:54 UTC (UTC+00:00)	1.2	Oct 21, 2025, 03:29 UTC (UTC+00:00)	Current bundle	`52e93b2e54c7…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
MalwareBytes WoodyRAT Aug 2022

MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022.
Open source URL
[2]
mitre-attack S1065
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams