{ "id": "c8ddf485-9366-45e5-85bb-332af9117657", "created_at": "2026-04-06T00:19:12.142645Z", "updated_at": "2026-04-10T13:12:53.920287Z", "deleted_at": null, "sha1_hash": "4e2328f5612bf3695e78128d7cbc6ec78b069239", "title": "Dissecting One of APT29's Fileless WMI and PowerShell Backdoors (POSHSPY) | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1295119, "plain_text": "Dissecting One of APT29's Fileless WMI and PowerShell\r\nBackdoors (POSHSPY) | Mandiant\r\nBy Mandiant\r\nPublished: 2017-04-03 · Archived: 2026-04-02 11:08:32 UTC\r\nWritten by: Matthew Dunwoody\r\nMandiant has observed APT29 using a stealthy backdoor that we call POSHSPY. POSHSPY leverages two of the\r\ntools the group frequently uses: PowerShell and Windows Management Instrumentation (WMI). In the\r\ninvestigations Mandiant has conducted, it appeared that APT29 deployed POSHSPY as a secondary backdoor for\r\nuse if they lost access to their primary backdoors.\r\nPOSHSPY makes the most of using built-in Windows features – so-called “living off the land” – to make an\r\nespecially stealthy backdoor. POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly\r\ninvisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only\r\nlegitimate system processes are utilized and that the malicious code execution can only be identified through\r\nenhanced logging or in memory. The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption\r\nand use of geographically local, legitimate websites for command and control (C2) make identification of its\r\nnetwork traffic difficult. Every aspect of POSHSPY is efficient and covert.\r\nMandiant initially identified an early variant of the POSHSPY backdoor deployed as PowerShell scripts during an\r\nincident response engagement in 2015. Later in that same engagement, the attacker updated the deployment of the\r\nbackdoor to use WMI for storage and persistence. Mandiant has since identified POSHSPY in several other\r\nenvironments compromised by APT29 over the past two years.\r\nWe first discussed APT29’s use of this backdoor as part of our “No Easy Breach” talk. For additional details on\r\nhow we first identified this backdoor, and the epic investigation it was part of, see the slides and presentation.\r\nWindows Management Instrumentation\r\nWMI is an administrative framework that is built into every version of Windows since 2000. WMI provides many\r\nadministrative capabilities on local and remote systems, including querying system information, starting and\r\nstopping processes, and setting conditional triggers. WMI can be accessed using a variety of tools, including the\r\nWindows WMI Command-line (wmic.exe), or through APIs accessible to programming and scripting languages\r\nsuch as PowerShell. Windows system WMI data is stored in the WMI common information model (CIM)\r\nrepository, which consists of several files in the System32\\wbem\\Repository directory.\r\nWMI classes are the primary structure within WMI. WMI classes can contain methods (code) and properties\r\n(data). Users with sufficient system-level privileges can define custom classes or extend the functionality of the\r\nmany default classes.\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 1 of 10\n\nWMI permanent event subscriptions can be used to trigger actions when specified conditions are met. Attackers\r\noften use this functionality to persist the execution of backdoors at system start up. Subscriptions consist of three\r\ncore WMI classes: a Filter, a Consumer, and a FilterToConsumerBinding. WMI Consumers specify an action to be\r\nperformed, including executing a command, running a script, adding an entry to a log, or sending an email. WMI\r\nFilters define conditions that will trigger a Consumer, including system startup, the execution of a program, the\r\npassing of a specified time and many others. A FilterToConsumerBinding associates Consumers to Filters.\r\nCreating a WMI permanent event subscription requires administrative privileges on a system.\r\nWe have observed APT29 use WMI to persist a backdoor and also store the PowerShell backdoor code. To store\r\nthe code, APT29 created a new WMI class and added a text property to it in order to store a string value. APT29\r\nwrote the encrypted and base64-encoded PowerShell backdoor code into that property.\r\nAPT29 then created a WMI event subscription in order to execute the backdoor. The subscription was configured\r\nto run a PowerShell command that read, decrypted, and executed the backdoor code directly from the new WMI\r\nproperty. This allowed them to install a persistent backdoor without leaving any artifacts on the system’s hard\r\ndrive, outside of the WMI repository. This “fileless” backdoor methodology made the identification of the\r\nbackdoor much more difficult using standard host analysis techniques.\r\nPOSHSPY WMI Component\r\nThe WMI component of the POSHSPY backdoor leverages a Filter to execute the PowerShell component of the\r\nbackdoor on a regular basis. In one instance, APT29 created a Filter named BfeOnServiceStartTypeChange\r\n(Figure 1), which they configured to execute every Monday, Tuesday, Thursday, Friday, and Saturday at 11:33 am\r\nlocal time.\r\nFigure 1: “BfeOnServiceStartTypeChange” WMI Query Language (WQL) filter condition\r\nThe BfeOnServiceStartTypeChange Filter was bound to the CommandLineEventConsumer\r\nWindowsParentalControlsMigration. The WindowsParentalControlsMigration consumer was configured to\r\nsilently execute a base64-encoded PowerShell command. Upon execution, this command extracted, decrypted,\r\nand executed the PowerShell backdoor payload stored in the HiveUploadTask text property of the RacTask class.\r\nThe PowerShell command contained the payload storage location and encryption keys. Figure 2 displays the\r\ncommand, called the “CommandLineTemplate”, executed by the WindowsParentalControlsMigration consumer.\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 2 of 10\n\nFigure 2: WindowsParentalControlsMigration CommandLineTemplate\r\nFigure 3 contains the decoded PowerShell command from the “CommandLineTemplate.”\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 3 of 10\n\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 4 of 10\n\nFigure 3: Decoded CommandLineTemplate PowerShell code\r\nPOSHSPY PowerShell Component\r\nHere is the full code for a POSHSPY.\r\nThe POSHSPY backdoor is designed to download and execute additional PowerShell code and Windows binaries.\r\nThe backdoor contains several notable capabilities, including:\r\n1. Downloading and executing PowerShell code as an EncodedCommand\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 5 of 10\n\n2. Writing executables to a randomly-selected directory under Program Files, and naming the EXE to match the\r\nchosen directory name, or, if that fails, writing the executable to a system-generated temporary file name, using\r\nthe EXE extension\r\n3. Modifying the Standard Information timestamps (created, modified, accessed) of every downloaded executable\r\nto match a randomly selected file from the System32 directory that was created prior to 2013\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 6 of 10\n\n4. Encrypting communications using AES and RSA public key cryptography\r\n5. Deriving C2 URLs from a Domain Generation Algorithm (DGA) using lists of domain names, subdomains, top-level domains (TLDs), Uniform Resource Identifiers (URIs), file names, and file extensions\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 7 of 10\n\n6. Using a custom User Agent string or the system's User Agent string derived from urlmon.dll\r\n7. Using either custom cookie names and values or randomly-generated cookie names and values for each network\r\nconnection\r\n8. Uploading data in 2048-byte chunks\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 8 of 10\n\n9. Appending a file signature header to all encrypted data, prior to upload or download, by randomly selecting\r\nfrom the file types:\r\nICO\r\nGIF\r\nJPG\r\nPNG\r\nMP3\r\nBMP\r\nThe sample in this example used 11 legitimate domains owned by an organization located near the victim. When\r\ncombined with the other options in the DGA, 550 unique C2 URLs could be generated. Infrequent beaconing, use\r\nof DGA and compromised infrastructure for C2, and appended file headers used to bypass content inspection\r\nmade this backdoor difficult to identify using typical network monitoring techniques.\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 9 of 10\n\nConclusion\r\nPOSHSPY is an excellent example of the skill and craftiness of APT29. By “living off the land” they were able to\r\nmake an extremely discrete backdoor that they can deploy alongside their more conventional and noisier backdoor\r\nfamilies, in order to help ensure persistence even after remediation. As stealthy as POSHSPY can be, it comes to\r\nlight quickly if you know where to look. Enabling and monitoring enhanced PowerShell logging can capture\r\nmalicious code as it executes and legitimate WMI persistence is so rare that malicious persistence quickly stands\r\nout when enumerating it across an environment. This is one of several sneaky backdoor families that we have\r\nidentified, including an off-the-shelf domain fronting backdoor and HAMMERTOSS. When responding to an\r\nAPT29 breach, it is vital to increase visibility, fully scope the incident before responding and thoroughly analyze\r\naccessed systems that don't contain known malware.\r\nAdditional Reading\r\nThis PowerShell logging blog post contains more information on improving PowerShell visibility in your\r\nenvironment.\r\nThis excellent whitepaper by William Ballenthin, Matt Graeber and Claudiu Teodorescu contains additional\r\ninformation on WMI offense, defense and forensics.\r\nThis presentation by Christopher Glyer and Devon Kerr contains additional information on attacker use of WMI in\r\npast Mandiant investigations.\r\nThe FireEye FLARE team released a WMI repository-parsing tool that allows investigators to extract embedded\r\ndata from the WMI repository and identify WMI persistence.\r\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nhttps://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "MITRE", "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" ], "report_names": [ "dissecting_one_ofap.html" ], "threat_actors": [ { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-10T02:00:03.689959Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-10T02:00:03.737173Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-10T02:00:02.955738Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "Cloaked Ursa", "TA421", "Blue Kitsune", "BlueBravo", "IRON HEMLOCK", "G0016", "Nobelium", "Group 100", "YTTRIUM", "Grizzly Steppe", "ATK7", "ITG11", "COZY BEAR", "The Dukes", "Minidionis", "UAC-0029", "SeaDuke" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-10T02:00:05.292748Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434752, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/4e2328f5612bf3695e78128d7cbc6ec78b069239.pdf", "text": "https://archive.orkl.eu/4e2328f5612bf3695e78128d7cbc6ec78b069239.txt", "img": "https://archive.orkl.eu/4e2328f5612bf3695e78128d7cbc6ec78b069239.jpg" } }