Skip to content

S0155 WINDSHIELD

WINDSHIELD is a signature backdoor used by APT32. 1

Item Value
ID S0155
Type MALWARE
Version 1.0
Created 14 December 2017
Last Modified 17 October 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion WINDSHIELD is capable of file deletion along with other file system interaction.1
enterprise T1095 Non-Application Layer Protocol WINDSHIELD C2 traffic can communicate via TCP raw sockets.1
enterprise T1012 Query Registry WINDSHIELD can gather Registry values.1
enterprise T1082 System Information Discovery WINDSHIELD can gather the victim computer name.1
enterprise T1033 System Owner/User Discovery WINDSHIELD can gather the victim user name.1

Groups That Use This Software

ID Name References
G0050 APT32 1

References

  1. Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.