WINDSHIELD

WINDSHIELD is a signature backdoor used by APT32. ^[1]

ID: S0155

ⓘ

Type: MALWARE

Version: 1.0

Created: 14 December 2017

Last Modified: 17 October 2018

Techniques Used

Domain	ID		Name	Use
Enterprise	T1012		查询注册表	WINDSHIELD can gather Registry values.^[1]
Enterprise	T1070	.004	移除指标: File Deletion	WINDSHIELD is capable of file deletion along with other file system interaction.^[1]
Enterprise	T1082		系统信息发现	WINDSHIELD can gather the victim computer name.^[1]
Enterprise	T1033		系统所有者/用户发现	WINDSHIELD can gather the victim user name.^[1]
Enterprise	T1095		非应用层协议	WINDSHIELD C2 traffic can communicate via TCP raw sockets.^[1]

Groups That Use This Software

ID	Name	References
G0050	APT32	^[1]

References

Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.