S0205: Naid
Analyst context for executives and security teams
Naid matters because ATT&CK describes it as a Windows trojan that opens a backdoor on compromised hosts and has associated discovery and persistence behaviors. For leaders, the practical issue is not the malware name itself, but whether the organization can quickly prove which Windows systems created suspicious services, changed Registry locations, and performed host/network discovery after compromise.
Executive priority
Treat this as a validation case for endpoint visibility and incident response readiness on Windows assets. Business risk is concentrated around unauthorized remote access, persistence through Windows services, and discovery activity that can help an intruder plan follow-on actions. Executives should ask whether SOC and IR teams can produce audit-ready evidence for service creation, Registry modification, process execution, and system/network discovery across critical Windows endpoints.
Technical view
ATT&CK provides no official detection text for Naid, so defenders should build coverage from the related behaviors: System Network Configuration Discovery (T1016), System Information Discovery (T1082), Modify Registry (T1112), and Windows Service persistence (T1543.003). Validate that Windows endpoint telemetry can show new or modified services, service executable paths, Registry writes tied to persistence or configuration changes, and command/process activity consistent with local system or network configuration discovery. Because the object is malware on Windows and described as a backdoor, triage should correlate persistence changes with unusual process lineage, network connections, and host discovery rather than relying on a malware family name alone.
Likely telemetry
- Windows process creation and command-line telemetry
- Windows service creation, modification, start, and configuration events
- Windows Registry modification telemetry
- Endpoint detection and response alerts and file/process metadata
- Host network connection telemetry from endpoints or network sensors
Detection direction
- Confirm coverage for new or modified Windows services, especially unusual service names, paths, or binaries outside expected administrative workflows.
- Tune Registry modification detections around persistence-relevant locations while accounting for legitimate software installation, patching, and administration activity.
- Correlate system and network discovery commands or API-driven discovery with the same process tree, user, or host that performs persistence changes.
- Do not depend on signature-only detection for Naid; ATT&CK does not provide detection guidance and the stronger validation point is behavior-level coverage.
- Review false positives from endpoint management, vulnerability scanners, software deployment tools, and administrator activity before escalating discovery or service-change alerts.
Mitigation priorities
- Prioritize least-privilege controls for accounts able to create services or modify protected Registry keys on Windows systems.
- Harden and monitor Windows service configuration changes on critical servers and workstations.
- Maintain endpoint logging and EDR coverage sufficient to reconstruct process, Registry, service, and network activity during IR.
- Use application control or allowlisting where practical to reduce unauthorized service-backed execution.
- Document detection and response procedures as compliance evidence for persistence, discovery, and backdoor-related incident scenarios.
Analyst notes and limits
The official ATT&CK description states that Naid is a trojan used by Elderwood to open a backdoor on compromised hosts. Relationship context links it to discovery, Registry modification, and Windows service persistence behaviors. This take focuses on defensive validation because those relationships provide more actionable coverage guidance than the malware name alone.
ATT&CK provides no official detection text, aliases, labels, or explicit malware tactics for this object. The object platform is Windows, while some related technique platform lists are broader or not Windows-specific in the supplied context. Local telemetry, asset criticality, and baseline administrative activity are required to determine exposure and detection quality.
Naid
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | Naid collects the domain name from a compromised host.CitationSymantec Naid June 2012 |
| Enterprise | T1082 | System Information Discovery | Naid collects a unique identifier (UID) from a compromised host.CitationSymantec Naid June 2012 |
| Enterprise | T1112 | Modify Registry | Naid creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk.CitationSymantec Naid June 2012 |
| Enterprise | T1543.003 | Windows Service Sub-technique | Naid creates a new service to establish.CitationSymantec Naid June 2012 |
Groups, software, and campaigns
G0066: Elderwood
Elderwood is a suspected Chinese cyber espionage group that was reportedly responsible for the 2009 Google intrusion known as Operation Aurora. [1] The group has targeted defense organizations, supply chain manufacturers, human rights and nongovernmental organizations (NGOs), and IT service providers. [2] [3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 76e8a4eb41f7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Elderwood Sept 2012
O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved November 17, 2024.
Open source URL -
[2]
Symantec Naid June 2012
Neville, A. (2012, June 15). Trojan.Naid. Retrieved February 22, 2018.
Open source URL -
[3]
Naid
(Citation: Symantec Naid June 2012)
-
[4]
mitre-attack S0205Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.