JUST RELEASED: ATT&CK for Industrial Control Systems


Winnti is a Trojan that has been used by multiple groups to carry out intrusions in varied regions from at least 2010 to 2016. One of the groups using this malware is referred to by the same name, Winnti Group; however, reporting indicates a second distinct group, Axiom, also uses the malware. [1] [2] [3]

ID: S0141
Platforms: Windows
Version: 1.0
Created: 31 May 2017
Last Modified: 17 October 2018

Techniques Used

Domain ID Name Use
Enterprise T1036 Masquerading

A Winnti implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.[2]

Enterprise T1050 New Service

Winnti sets its DLL file as a new service in the Registry to establish persistence.[2]

Enterprise T1085 Rundll32

The Winnti installer loads a DLL using rundll32.[2]

Groups That Use This Software

ID Name References
G0044 Winnti Group [1] [4]