S0176: Wingbird
Analyst context for executives and security teams
Wingbird matters because it is a Windows backdoor associated in ATT&CK reporting with targeted attacks against individual computers rather than broad network intrusion. For leaders, the practical risk is not just malware presence; the related behaviors point to stealth, persistence, privilege escalation, service abuse, DLL abuse, and discovery of security tooling. That combination can make a single compromised workstation strategically important, especially if it belongs to a high-value user or sensitive business function.
Executive priority
Treat Wingbird as a test of endpoint resilience and incident readiness for targeted compromise. Security leaders should ask whether high-risk Windows endpoints have enough telemetry to prove or disprove process injection, suspicious service creation or execution, LSASS driver modification, DLL abuse, privilege-escalation exploitation, file deletion, and security software discovery. The ATT&CK object has no official detection guidance, so priority should be placed on validating control evidence and response playbooks rather than assuming existing alert coverage.
Technical view
For SOC, detection engineering, and IR teams, coverage should be mapped to the related ATT&CK techniques: T1055 Process Injection, T1068 Exploitation for Privilege Escalation, T1070.004 File Deletion, T1082 System Information Discovery, T1518.001 Security Software Discovery, T1543.003 Windows Service, T1547.008 LSASS Driver, T1569.002 Service Execution, and T1574.001 DLL. Because the malware platform is Windows and official detection text is not provided, teams should validate host-based visibility around process lineage, module loading, service control activity, driver and registry changes tied to LSA/LSASS, deleted artifacts, and discovery commands or API activity that inventories system and security products.
Likely telemetry
- Windows endpoint detection and response events for process creation, process access, injection-like behavior, and parent-child process relationships
- Windows service creation, modification, start, and service control manager activity
- Registry and file-system monitoring for service configuration, DLL placement or loading paths, LSASS/LSA-related driver or package changes, and deleted files
- Privilege escalation indicators such as exploit-triggered crashes, abnormal child processes from privileged services, or unexpected integrity changes where locally observable
- Module load telemetry for unusual DLL loading, search-order abuse, or DLL execution from nonstandard locations
Detection direction
- Build detections from the relationship-driven behaviors rather than the malware name alone, since the official ATT&CK object does not provide detection logic.
- Prioritize correlations that combine service creation or service execution with unusual binaries, DLL loads, privilege changes, or file deletion on the same Windows host.
- Tune process injection analytics carefully against legitimate security, accessibility, management, and application software to reduce false positives while preserving visibility into unusual process access and memory manipulation patterns.
- Monitor LSASS/LSA-related driver or authentication package changes as high-signal events that require rapid validation because the related technique supports persistence and privilege escalation.
- Validate whether endpoint controls log security software discovery and system discovery activity; these behaviors may be treated as low severity in isolation but become material when paired with persistence or privilege-escalation events.
Mitigation priorities
- Ensure Windows endpoints, especially high-value user systems, are consistently patched to reduce exposure to privilege-escalation exploitation.
- Harden and monitor Windows service creation, modification, and execution paths; restrict administrative rights that allow unauthorized service control.
- Protect LSASS/LSA-related configuration and monitor driver or authentication package changes through change control and endpoint policy enforcement.
- Strengthen application control and DLL search-order hygiene where feasible to reduce DLL abuse opportunities.
- Retain endpoint and file telemetry long enough to investigate file deletion and post-compromise cleanup attempts.
Analyst notes and limits
The supplied ATT&CK object identifies Wingbird as a Windows backdoor that appears to be a version of commercial software FinFisher and reports use by NEODYMIUM in a May 2016 campaign. The most useful defensive content comes from the object’s technique relationships, which describe the behaviors defenders should validate on Windows endpoints.
ATT&CK provides no official detection text for this object, no tactics on the malware object itself, and no aliases or labels in the supplied fields. This take does not assert current activity, customer exposure, guaranteed detectability, or attribution. Local endpoint telemetry, control configuration, and incident evidence are required to assess actual risk and coverage.
Wingbird
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1547.008 | LSASS Driver Sub-technique | Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.CitationMicrosoft SIR Vol 21CitationMicrosoft Wingbird Nov 2017 |
| Enterprise | T1574.001 | DLL Sub-technique | Wingbird side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service.CitationMicrosoft SIR Vol 21CitationMicrosoft Wingbird Nov 2017 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Wingbird deletes its payload along with the payload's parent process after it finishes copying files.CitationMicrosoft SIR Vol 21 |
| Enterprise | T1569.002 | Service Execution Sub-technique | Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.CitationMicrosoft SIR Vol 21CitationMicrosoft Wingbird Nov 2017 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Wingbird uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.CitationMicrosoft SIR Vol 21CitationMicrosoft Wingbird Nov 2017 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Wingbird checks for the presence of Bitdefender security software.CitationMicrosoft SIR Vol 21 |
| Enterprise | T1068 | Exploitation for Privilege Escalation | Wingbird exploits CVE-2016-4117 to allow an executable to gain escalated privileges.CitationMicrosoft SIR Vol 21 |
| Enterprise | T1055 | Process Injection | Wingbird performs multiple process injections to hijack system processes and execute malicious code.CitationMicrosoft SIR Vol 21 |
| Enterprise | T1082 | System Information Discovery | Wingbird checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit.CitationMicrosoft SIR Vol 21 |
Groups, software, and campaigns
G0055: NEODYMIUM
NEODYMIUM is an activity group that conducted a campaign in May 2016 and has heavily targeted Turkish victims. The group has demonstrated similarity to another activity group called PROMETHIUM due to overlapping victim and campaign characteristics. [1] [2] NEODYMIUM is reportedly associated closely with BlackOasis operations, but evidence that the group names are aliases has not been identified. [3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | cf81708e30b4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Microsoft SIR Vol 21
Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017.
Open source URL -
[2]
Microsoft NEODYMIUM Dec 2016
Microsoft. (2016, December 14). Twin zero-day attacks: PROMETHIUM and NEODYMIUM target individuals in Europe. Retrieved November 27, 2017.
Open source URL -
[3]
Microsoft Wingbird Nov 2017
Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017.
Open source URL -
[4]
Wingbird
(Citation: Microsoft SIR Vol 21) (Citation: Microsoft NEODYMIUM Dec 2016) (Citation: Microsoft Wingbird Nov 2017)
-
[5]
mitre-attack S0176Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.