S0155: WINDSHIELD
WINDSHIELD is a signature backdoor used by APT32. [1]
Analyst context for executives and security teams
WINDSHIELD matters because MITRE identifies it as a backdoor associated with APT32, with related behaviors that include host discovery, user discovery, registry querying, file deletion, and non-application-layer command-and-control. For leaders, the practical issue is not the malware name alone; it is whether endpoint and network controls can prove visibility into quiet reconnaissance, cleanup activity, and unusual C2 patterns during an intrusion investigation.
Executive priority
Treat this as a validation case for intrusion readiness rather than a standalone vulnerability item. Security leaders should ask whether SOC and IR teams can reconstruct discovery activity, account context, registry access, file deletion, and network communications if a backdoor is suspected. Organizations with exposure to sectors or regions noted in the APT32 relationship context should ensure threat intelligence requirements, evidence retention, and escalation playbooks account for strategically targeted activity, while avoiding assumptions of current exposure without local indicators.
Technical view
MITRE provides no direct detection text, platforms, or tactics for WINDSHIELD itself. The usable defensive direction comes from its relationships: Query Registry, System Owner/User Discovery, System Information Discovery, File Deletion, and Non-Application Layer Protocol. Detection engineering should validate coverage for Windows registry query activity where applicable, user and system discovery commands or API-driven equivalents, suspicious deletion of recently created tools or artifacts, and network traffic using protocols or patterns not expected for the host role. IR teams should preserve host and network evidence early because file deletion is part of the related behavior set.
Likely telemetry
- Endpoint process execution and command-line telemetry
- Windows Registry access/query telemetry where Windows systems are in scope
- User logon/session and account context records
- Host inventory and system information collection events
- File creation, modification, and deletion events
Detection direction
- Do not rely on a WINDSHIELD signature alone; validate behavior-based coverage for the related ATT&CK techniques.
- Correlate discovery behaviors with unusual parent processes, unexpected execution paths, or activity by accounts that do not normally perform administration.
- Tune registry-query detections carefully to reduce false positives from legitimate software inventory, IT management, and security tooling.
- Review file deletion alerts in context with prior file creation, tool transfer, script execution, or discovery events.
- For non-application-layer C2, validate network monitoring can distinguish expected infrastructure traffic from unusual ICMP, UDP, SOCKS-like, tunneled, or redirected patterns when supported by local telemetry.
Mitigation priorities
- Prioritize endpoint logging, EDR retention, and centralized collection sufficient to support backdoor investigations.
- Harden and monitor administrative access so user and system discovery can be tied to accountable identities and expected workflows.
- Restrict unnecessary outbound network paths and review egress controls for protocols not required by business functions.
- Preserve forensic evidence quickly during suspected compromise, especially where cleanup or file deletion may occur.
- Maintain threat-informed IR playbooks that map suspected backdoor activity to discovery, stealth, and C2 investigation steps.
Analyst notes and limits
The object is a malware entry for WINDSHIELD, described by MITRE as a signature backdoor used by APT32. The strongest defensive value comes from the related techniques rather than from object-level detection guidance, which MITRE does not provide. The APT32 relationship adds targeting context from the supplied group description, but incident attribution would require separate evidence.
Platforms, tactics, labels, aliases, and official detection are not specified for the WINDSHIELD object itself. Related techniques include platform and tactic context, but that should not be treated as a complete platform list for the malware. No claim is made here about current exploitation, prevalence, customer exposure, or guaranteed detection.
WINDSHIELD
WINDSHIELD is a signature backdoor used by APT32. [1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1095 | Non-Application Layer Protocol | WINDSHIELD C2 traffic can communicate via TCP raw sockets.CitationFireEye APT32 May 2017 |
| Enterprise | T1033 | System Owner/User Discovery | WINDSHIELD can gather the victim user name.CitationFireEye APT32 May 2017 |
| Enterprise | T1012 | Query Registry | WINDSHIELD can gather Registry values.CitationFireEye APT32 May 2017 |
| Enterprise | T1082 | System Information Discovery | WINDSHIELD can gather the victim computer name.CitationFireEye APT32 May 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | WINDSHIELD is capable of file deletion along with other file system interaction.CitationFireEye APT32 May 2017 |
Groups, software, and campaigns
G0050: APT32
APT32 is a suspected Vietnam-based threat group that has been active since at least 2014. The group has targeted multiple private sector industries as well as foreign governments, dissidents, and journalists with a strong focus on Southeast Asian countries like Vietnam, the Philippines, Laos, and Cambodia. They have extensively used strategic web compromises to compromise victims.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b0847fe9e815… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye APT32 May 2017
Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017.
Open source URL -
[2]
mitre-attack S0155Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.