Register to stream ATT&CKcon 2.0 October 29-30


POSHSPY is a backdoor that has been used by APT29 since at least 2015. It appears to be used as a secondary backdoor used if the actors lost access to their primary backdoors. [1]

ID: S0150
Platforms: Windows
Version: 1.1

Techniques Used

Domain ID Name Use
Enterprise T1030 Data Transfer Size Limits POSHSPY uploads data in 2048-byte chunks. [1]
Enterprise T1483 Domain Generation Algorithms POSHSPY uses a DGA to derive command and control URLs from a word list. [1]
Enterprise T1027 Obfuscated Files or Information POSHSPY appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download. [1]
Enterprise T1086 PowerShell POSHSPY uses PowerShell to execute various commands, one to execute its payload. [1]
Enterprise T1105 Remote File Copy POSHSPY downloads and executes additional PowerShell code and Windows binaries. [1]
Enterprise T1032 Standard Cryptographic Protocol POSHSPY encrypts C2 traffic with AES and RSA. [1]
Enterprise T1099 Timestomp POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013. [1]
Enterprise T1084 Windows Management Instrumentation Event Subscription POSHSPY uses a WMI event subscription to establish persistence. [1]

Groups That Use This Software

ID Name References
G0016 APT29 [1]