Hikit
ID: S0009
ⓘ
Type: MALWARE
ⓘ
Platforms: Windows
Contributors: Christopher Glyer, Mandiant, @cglyer
Version: 1.3
Created: 31 May 2017
Last Modified: 20 March 2023
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1014 | Rootkit | ||
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1090 | .001 | 代理: Internal Proxy | |
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
Hikit has used DLL Search Order Hijacking to load |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Hikit has the ability to create a remote shell and run given commands.[3] |
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1105 | 输入工具传输 |
Hikit has the ability to download files to a compromised host.[1] |
|
| Enterprise | T1566 | 钓鱼 | ||
| Enterprise | T1553 | .004 | 颠覆信任控制: Install Root Certificate |
Hikit installs a self-generated certificate to the local trust store as a root CA and Trusted Publisher.[4] |
| .006 | 颠覆信任控制: Code Signing Policy Modification |
Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.[3] |
||
Groups That Use This Software
References
- Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
- Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved June 6, 2016.
- Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020.