S0150: POSHSPY
Analyst context for executives and security teams
POSHSPY matters because it represents a Windows backdoor described by ATT&CK as a secondary access mechanism used by APT29 if primary backdoors were lost. For leaders, the decision value is not a single malware name; it is whether the organization can find resilient, low-noise persistence that blends PowerShell, WMI event subscriptions, obfuscation, encrypted command-and-control, and evasive data movement.
Executive priority
Prioritize this as a resilience and incident-readiness scenario for Windows environments, especially where compromise response depends on proving that backup access paths have been removed. Executives should ask whether IR playbooks validate WMI persistence, PowerShell execution history, unusual DNS/C2 behavior, and file timestamp manipulation before declaring containment complete. The APT29 relationship increases the need for disciplined evidence collection and threat-informed control validation, but the supplied ATT&CK data does not establish current activity or exposure in any specific environment.
Technical view
ATT&CK provides no native detection text for POSHSPY, so SOC and detection engineering should validate coverage through the related techniques: PowerShell execution (T1059.001), WMI Event Subscription persistence/privilege escalation (T1546.003), obfuscated files or information (T1027), timestomping (T1070.006), ingress tool transfer (T1105), data transfer size limits (T1030), domain generation algorithms (T1568.002), and asymmetric cryptography for C2 (T1573.002). For Windows hosts, confirm visibility into WMI filter/consumer/binding creation, PowerShell script block or equivalent command telemetry, suspicious file metadata changes, and network patterns consistent with dynamic domains, encrypted C2, staged tool transfer, or chunked outbound transfer.
Likely telemetry
- Windows endpoint process creation and command-line telemetry for PowerShell activity
- PowerShell logging or equivalent script/command visibility where available
- WMI repository and event subscription evidence, including filters, consumers, and bindings
- Windows security, system, and endpoint detection logs tied to persistence creation and execution
- File system metadata and forensic artifacts that can reveal timestamp anomalies
Detection direction
- Do not rely on a POSHSPY signature alone; map detections to the related ATT&CK behaviors because the object has no official detection guidance.
- Validate WMI persistence detections for creation or modification of event filters, consumers, and bindings, and tune against legitimate administrative tooling.
- Review PowerShell detections for encoded, obfuscated, remote, or unusual execution patterns while accounting for sanctioned automation and administration.
- Correlate host persistence events with DNS and network anomalies such as high-volume domain lookups, rare domains, encrypted outbound sessions, tool downloads, or chunked transfers.
- Add forensic checks for timestomping during incident response because timestamp manipulation can weaken timeline-based scoping.
Mitigation priorities
- Harden and monitor Windows PowerShell and WMI usage with least privilege, administrative boundaries, and logging sufficient for investigation.
- Restrict who can create WMI event subscriptions and periodically audit existing subscriptions for unauthorized persistence.
- Improve egress governance and DNS monitoring so dynamic C2 and unusual encrypted outbound communication are reviewable.
- Maintain endpoint visibility capable of linking process, script, persistence, file metadata, and network activity during investigations.
- Build IR containment checklists that explicitly search for secondary backdoors and persistence mechanisms before restoring trust.
Analyst notes and limits
The strongest defensive angle is the combination of Windows backdoor behavior, PowerShell execution, WMI event subscription persistence, obfuscation, encrypted/dynamic C2, and evasion of transfer thresholds. The supplied relationship to APT29 is relevant for threat-informed prioritization, but should not be treated as proof of current targeting or compromise. Use local telemetry and asset criticality to decide whether this is a hunt priority, a detection engineering gap, or an IR validation requirement.
ATT&CK does not provide official detection text, aliases, labels, or explicit malware tactics for this object. Several details must therefore be inferred only from the supplied relationships and external reference title, not from direct procedure text. Environment-specific tooling, logging configuration, and baselines are required to determine actual detection coverage.
POSHSPY
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1030 | Data Transfer Size Limits | POSHSPY uploads data in 2048-byte chunks.CitationFireEye POSHSPY April 2017 |
| Enterprise | T1568.002 | Domain Generation Algorithms Sub-technique | POSHSPY uses a DGA to derive command and control URLs from a word list.CitationFireEye POSHSPY April 2017 |
| Enterprise | T1027 | Obfuscated Files or Information | POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.CitationFireEye POSHSPY April 2017 |
| Enterprise | T1059.001 | PowerShell Sub-technique | POSHSPY uses PowerShell to execute various commands, one to execute its payload.CitationFireEye POSHSPY April 2017 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | POSHSPY encrypts C2 traffic with AES and RSA.CitationFireEye POSHSPY April 2017 |
| Enterprise | T1105 | Ingress Tool Transfer | POSHSPY downloads and executes additional PowerShell code and Windows binaries.CitationFireEye POSHSPY April 2017 |
| Enterprise | T1070.006 | Timestomp Sub-technique | POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.CitationFireEye POSHSPY April 2017 |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | POSHSPY uses a WMI event subscription to establish persistence.CitationFireEye POSHSPY April 2017 |
Groups, software, and campaigns
G0016: APT29
APT29 is threat group that has been attributed to Russia's Foreign Intelligence Service (SVR).[1][2] They have operated since at least 2008, often targeting government networks in Europe and NATO member countries, research institutes, and think tanks. APT29 reportedly compromised the Democratic National Committee starting in the summer of 2015.[3][4][5][6]
In April 2021, the US and UK governments attributed the SolarWinds Compromise to the SVR; public statements included citations to APT29, Cozy Bear, and The Dukes.[7][8] Industry reporting also referred to the actors involved in this campaign as UNC2452, NOBELIUM, StellarParticle, Dark Halo, and SolarStorm.[9][10][11][12][13][14]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | 2ec4c22deccb… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye POSHSPY April 2017
Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017.
Open source URL -
[2]
POSHSPY
(Citation: FireEye POSHSPY April 2017)
-
[3]
mitre-attack S0150Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.