Skip to content


QUADAGENT is a PowerShell backdoor used by OilRig. 1

Item Value
ID S0269
Associated Names
Version 1.2
Created 17 October 2018
Last Modified 22 March 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols QUADAGENT uses HTTPS and HTTP for C2 communications.1
enterprise T1071.004 DNS QUADAGENT uses DNS for C2 communications.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell QUADAGENT uses PowerShell scripts for execution.1
enterprise T1059.003 Windows Command Shell QUADAGENT uses cmd.exe to execute scripts and commands on the victim’s machine.1
enterprise T1059.005 Visual Basic QUADAGENT uses VBScripts.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding QUADAGENT encodes C2 communications with base64.1
enterprise T1140 Deobfuscate/Decode Files or Information QUADAGENT uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.1
enterprise T1008 Fallback Channels QUADAGENT uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion QUADAGENT has a command to delete its Registry key and scheduled task.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.1
enterprise T1112 Modify Registry QUADAGENT modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.010 Command Obfuscation QUADAGENT was likely obfuscated using Invoke-Obfuscation.12
enterprise T1027.011 Fileless Storage QUADAGENT stores a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications within a Registry key (such as HKCU\Office365DCOMCheck) in the HKCU hive.1
enterprise T1012 Query Registry QUADAGENT checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task QUADAGENT creates a scheduled task to maintain persistence on the victim’s machine.1
enterprise T1016 System Network Configuration Discovery QUADAGENT gathers the current domain the victim system belongs to.1
enterprise T1033 System Owner/User Discovery QUADAGENT gathers the victim username.1

Groups That Use This Software

ID Name References
G0049 OilRig 1