Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)

Windshift is a threat group that has been active since at least 2017, targeting specific individuals for surveillance in government departments and critical infrastructure across the Middle East.(Citation: SANS Windshift August 2018)(Citation: objective-see windtail1 dec 2018)(Citation: objective-see windtail2 jan 2019)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77)	Attack Pattern	1
Code Signing Policy Modification - T1632.001 (fcb11f06-ce0e-490b-bcc1-04a1623579f0)	Attack Pattern	Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Conceal Multimedia Files - T1628.003 (ea132c68-b518-4478-ae8d-1763cda26ee3)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Geofencing - T1627.001 (e422b6fa-4739-46b9-992e-82f1b350c780)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Obfuscated Files or Information - T1406 (d13fa042-8f26-44e1-a2a8-af0bf8e2ac9a)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Download New Code at Runtime - T1407 (6c49d50f-494d-4150-b774-a655022d20a6)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	1
Symmetric Cryptography - T1521.001 (bb4387ab-7a51-468b-bf5f-a9a8612f0303)	Attack Pattern	Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	1
Windshift - G0112 (afec6dc3-a18e-4b62-b1a4-5510e1a498d1)	Intrusion Set	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Code Signing Policy Modification - T1632.001 (fcb11f06-ce0e-490b-bcc1-04a1623579f0)	Attack Pattern	Subvert Trust Controls - T1632 (79cb02f4-ac4e-4335-8b51-425c9573cce1)	Attack Pattern	2
Conceal Multimedia Files - T1628.003 (ea132c68-b518-4478-ae8d-1763cda26ee3)	Attack Pattern	Hide Artifacts - T1628 (fc53309d-ebd5-4573-9242-57024ebdad4f)	Attack Pattern	2
System Checks - T1633.001 (6ffad4be-bfe0-424f-abde-4d9a84a800ad)	Attack Pattern	Virtualization/Sandbox Evasion - T1633 (27d18e87-8f32-4be1-b456-39b90454360f)	Attack Pattern	2
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47)	Attack Pattern	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Execution Guardrails - T1627 (498e7b81-238d-404c-aa5e-332904d63286)	Attack Pattern	Geofencing - T1627.001 (e422b6fa-4739-46b9-992e-82f1b350c780)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	2
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	2
WindTail - S0466 (0d1f9f5b-11ea-42c3-b5f4-63cce0122541)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Symmetric Cryptography - T1521.001 (bb4387ab-7a51-468b-bf5f-a9a8612f0303)	Attack Pattern	Encrypted Channel - T1521 (ed2c05a1-4f81-4d97-9e1b-aff01c34ae84)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	3
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3