S1099: Samurai
Analyst context for executives and security teams
Samurai matters because it represents a Windows passive backdoor capability tied in ATT&CK to remote administration, lateral movement support, arbitrary C# execution, and stealthy command-and-control patterns. For leaders, the decision value is not a single malware name; it is whether the organization can prove visibility into Windows service persistence, Registry activity, command shell execution, tool transfer, discovery, and unusual web or non-application-layer communications before an intrusion becomes hard to scope.
Executive priority
Prioritize Samurai as a readiness test for Windows endpoint visibility, SOC triage quality, and incident response containment. The ATT&CK record has no official detection guidance, so executives should ask whether existing EDR, network monitoring, service-change auditing, and Registry logging produce usable evidence for backdoor persistence, C2, discovery, and lateral-movement-enabling behavior. This is also useful audit evidence for control coverage around privileged system changes and malware response procedures.
Technical view
ATT&CK lists Samurai as Windows malware used by ToddyCat and associated with arbitrary C# code execution, modules for remote administration and lateral movement, and techniques including Windows Command Shell, Native API, Registry query/modify, Windows service persistence, file/software discovery, ingress tool transfer, proxying, web protocols, non-application-layer protocols, standard encoding, symmetric cryptography, compression, dynamic API resolution, compile-after-delivery, obfuscation, and resource-name/location masquerading. SOC and IR teams should validate detections around behavior chains rather than relying on a malware signature: suspicious service creation or modification followed by Registry changes, command shell execution, local discovery, payload/tool transfer, and abnormal outbound or internal proxy-like traffic.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially cmd.exe and unusual child/parent process chains
- Windows service creation, modification, startup configuration, and service executable path telemetry
- Windows Registry query and modification events, especially persistence- or service-related keys
- File creation, rename, compression/archive, compile-after-delivery, and suspicious placement in legitimate-looking paths
- EDR or host telemetry for Native API usage patterns, dynamic API resolution indicators, and obfuscated payload behavior where available
Detection direction
- Because MITRE provides no official detection text for Samurai, validate coverage against the related ATT&CK behaviors and local baselines rather than assuming product coverage.
- Correlate Windows service changes with newly written binaries, suspicious paths or names, Registry modifications, and subsequent outbound communications.
- Tune command shell and discovery detections to reduce noise from administrators and management tooling while retaining alerts for unusual execution context, timing, hosts, or chained activity.
- Review whether network monitoring can distinguish routine web traffic from suspicious encoded, encrypted, proxied, or tool-transfer communications; expect encrypted or encoded C2 content to limit payload inspection.
- Include detections for compile-after-delivery and obfuscation-adjacent behavior, such as unexpected compiler use, compressed payload staging, or files masquerading as legitimate resources.
Mitigation priorities
- Harden and monitor Windows service creation and modification, especially where administrative privileges are required.
- Restrict unnecessary command shell, compiler, and scripting access through least privilege and application control where operationally feasible.
- Strengthen Registry auditing and change control for persistence-relevant locations.
- Limit outbound connectivity and proxy paths to business-required destinations, and retain logs sufficient for C2 investigation.
- Ensure EDR and central logging cover process, service, Registry, file, and network events on Windows systems in scope.
Analyst notes and limits
The most useful defensive framing is a behavior-chain assessment: persistence through Windows services and Registry changes, execution through command shell or Native APIs, stealth through obfuscation/compression/API resolution/masquerading, discovery of local data and software, and C2 through web, proxy, non-application-layer, encoded, or encrypted channels. Related technique platform lists include non-Windows platforms because they are generic ATT&CK techniques; the Samurai software object itself is supplied as Windows.
This take is limited to the supplied ATT&CK STIX fields, external references, and relationships. MITRE does not provide official detection guidance, aliases, labels, or explicit tactics for the Samurai software object in the supplied data. No local indicators, hashes, infrastructure, prevalence, active exploitation status, or customer exposure can be inferred from this record alone.
Samurai
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1095 | Non-Application Layer Protocol | |
| Enterprise | T1543.003 | Windows Service Sub-technique | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | |
| Enterprise | T1083 | File and Directory Discovery | |
| Enterprise | T1027.015 | Compression Sub-technique | |
| Enterprise | T1112 | Modify Registry | |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | |
| Enterprise | T1012 | Query Registry | |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | |
| Enterprise | T1090 | Proxy | |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1071.001 | Web Protocols Sub-technique | |
| Enterprise | T1027.007 | Dynamic API Resolution Sub-technique | |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1106 | Native API | |
| Enterprise | T1005 | Data from Local System | |
| Enterprise | T1518 | Software Discovery |
Groups, software, and campaigns
G1022: ToddyCat
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | f7991cf87e7e… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Kaspersky ToddyCat June 2022
Dedola, G. (2022, June 21). APT ToddyCat. Retrieved January 3, 2024.
Open source URL -
[2]
mitre-attack S1099Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.