Skip to content


WINDSHIELD is a signature backdoor used by APT32. 1

Item Value
ID S0155
Version 1.0
Created 14 December 2017
Last Modified 17 October 2018
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion WINDSHIELD is capable of file deletion along with other file system interaction.1
enterprise T1095 Non-Application Layer Protocol WINDSHIELD C2 traffic can communicate via TCP raw sockets.1
enterprise T1012 Query Registry WINDSHIELD can gather Registry values.1
enterprise T1082 System Information Discovery WINDSHIELD can gather the victim computer name.1
enterprise T1033 System Owner/User Discovery WINDSHIELD can gather the victim user name.1

Groups That Use This Software

ID Name References
G0050 APT32 1


Back to top