Skip to content

S1017 OutSteel

OutSteel is a file uploader and document stealer developed with the scripting language AutoIT that has been used by Ember Bear since at least March 2021.1

Item Value
ID S1017
Version 1.0
Created 09 June 2022
Last Modified 09 June 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols OutSteel has used HTTP for C2 communications.1
enterprise T1119 Automated Collection OutSteel can automatically scan for and collect files with specific extensions.1
enterprise T1020 Automated Exfiltration OutSteel can automatically upload collected files to its C2 server.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell OutSteel has used cmd.exe to scan a compromised host for specific file extensions.1
enterprise T1005 Data from Local System OutSteel can collect information from a compromised host.1
enterprise T1041 Exfiltration Over C2 Channel OutSteel can upload files from a compromised host over its C2 channel.1
enterprise T1083 File and Directory Discovery OutSteel can search for specific file extensions, including zipped files.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion OutSteel can delete itself following the successful execution of a follow-on payload.1
enterprise T1105 Ingress Tool Transfer OutSteel can download files from its C2 server.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment OutSteel has been distributed as a malicious attachment within a spearphishing email.1
enterprise T1566.002 Spearphishing Link OutSteel has been distributed through malicious links contained within spearphishing emails.1
enterprise T1057 Process Discovery OutSteel can identify running processes on a compromised host.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link OutSteel has relied on a user to click a malicious link within a spearphishing email.1
enterprise T1204.002 Malicious File OutSteel has relied on a user to execute a malicious attachment delivered via spearphishing.1

Groups That Use This Software

ID Name References
G1003 Ember Bear 1