Skip to content

S0009 Hikit

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.12

Item Value
ID S0009
Associated Names
Type MALWARE
Version 1.3
Created 31 May 2017
Last Modified 12 January 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Hikit has used HTTP for C2.3
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Hikit has the ability to create a remote shell and run given commands.3
enterprise T1005 Data from Local System Hikit can upload files from compromised machines.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography Hikit performs XOR encryption.1
enterprise T1574 Hijack Execution Flow -
enterprise T1574.001 DLL Search Order Hijacking Hikit has used DLL Search Order Hijacking to load oci.dll as a persistence mechanism.2
enterprise T1105 Ingress Tool Transfer Hikit has the ability to download files to a compromised host.1
enterprise T1566 Phishing Hikit has been spread through spear phishing.1
enterprise T1090 Proxy -
enterprise T1090.001 Internal Proxy Hikit supports peer connections.1
enterprise T1014 Rootkit Hikit is a Rootkit that has been used by Axiom.2 3
enterprise T1553 Subvert Trust Controls -
enterprise T1553.004 Install Root Certificate Hikit uses certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root and certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.3
enterprise T1553.006 Code Signing Policy Modification Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.3

Groups That Use This Software

ID Name References
G0001 Axiom 14

References

Back to top