Skip to content

S0009 Hikit

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.12

Item Value
ID S0009
Associated Names
Version 1.3
Created 31 May 2017
Last Modified 12 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Hikit has used HTTP for C2.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Hikit has the ability to create a remote shell and run given commands.3
enterprise T1005 Data from Local System Hikit can upload files from compromised machines.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Hikit performs XOR encryption.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Hikit has used DLL Search Order Hijacking to load oci.dll as a persistence mechanism.2
enterprise T1105 Ingress Tool Transfer Hikit has the ability to download files to a compromised host.1
enterprise T1566 Phishing Hikit has been spread through spear phishing.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Hikit supports peer connections.1
enterprise T1014 Rootkit Hikit is a Rootkit that has been used by Axiom.2 3
enterprise T1553 Subvert Trust Controls -
enterprise T1553.004 Install Root Certificate Hikit uses certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root and certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.3
enterprise T1553.006 Code Signing Policy Modification Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.3

Groups That Use This Software

ID Name References
G0001 Axiom 14


Back to top