| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
HOPLIGHT can launch cmd.exe to execute commands on the system. |
| enterprise |
T1132 |
Data Encoding |
- |
| enterprise |
T1132.001 |
Standard Encoding |
HOPLIGHT has utilized Zlib compression to obfuscate the communications payload. |
|
|
|
|
| enterprise |
T1652 |
Device Driver Discovery |
HOPLIGHT can enumerate device drivers located in the registry at HKLM\Software\WBEM\WDM. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
HOPLIGHT has used its C2 channel to exfiltrate data. |
| enterprise |
T1008 |
Fallback Channels |
HOPLIGHT has multiple C2 channels in place in case one fails. |
| enterprise |
T1083 |
File and Directory Discovery |
HOPLIGHT has been observed enumerating system drives and partitions. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.004 |
Disable or Modify System Firewall |
HOPLIGHT has modified the firewall using netsh. |
| enterprise |
T1105 |
Ingress Tool Transfer |
HOPLIGHT has the ability to connect to a remote host in order to upload and download files. |
| enterprise |
T1112 |
Modify Registry |
HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system. |
| enterprise |
T1571 |
Non-Standard Port |
HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method. |
| enterprise |
T1003 |
OS Credential Dumping |
- |
| enterprise |
T1003.002 |
Security Account Manager |
HOPLIGHT has the capability to harvest credentials and passwords from the SAM database. |
| enterprise |
T1055 |
Process Injection |
HOPLIGHT has injected into running processes. |
| enterprise |
T1090 |
Proxy |
HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators. |
|
|
|
|
| enterprise |
T1012 |
Query Registry |
A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value ‘rdpproto’ under the key SYSTEM\CurrentControlSet\Control\Lsa Name. |
| enterprise |
T1082 |
System Information Discovery |
HOPLIGHT has been observed collecting victim machine information like OS version, volume information, and more. |
| enterprise |
T1569 |
System Services |
- |
| enterprise |
T1569.002 |
Service Execution |
HOPLIGHT has used svchost.exe to execute a malicious DLL . |
| enterprise |
T1124 |
System Time Discovery |
HOPLIGHT has been observed collecting system time from victim machines. |
| enterprise |
T1550 |
Use Alternate Authentication Material |
- |
| enterprise |
T1550.002 |
Pass the Hash |
HOPLIGHT has been observed loading several APIs associated with Pass the Hash. |
| enterprise |
T1047 |
Windows Management Instrumentation |
HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository. |