Description
[Windshift](https://attack.mitre.org/groups/G0112) is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)
Techniques Used (TTPs)
- T1057 — Process Discovery (discovery)
- T1189 — Drive-by Compromise (initial-access)
- T1059.005 — Visual Basic (execution)
- T1518.001 — Security Software Discovery (discovery)
- T1566.001 — Spearphishing Attachment (initial-access)
- T1204.001 — Malicious Link (execution)
- T1566.003 — Spearphishing via Service (initial-access)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1518 — Software Discovery (discovery)
- T1566.002 — Spearphishing Link (initial-access)
- T1036.001 — Invalid Code Signature (defense-evasion)
- T1027 — Obfuscated Files or Information (defense-evasion)
- T1071.001 — Web Protocols (command-and-control)
- T1036 — Masquerading (defense-evasion)
- T1105 — Ingress Tool Transfer (command-and-control)
- T1047 — Windows Management Instrumentation (execution)
- T1033 — System Owner/User Discovery (discovery)
- T1082 — System Information Discovery (discovery)
- T1204.002 — Malicious File (execution)
Total TTPs: 19
Malware & Tools
Malware: WindTail