Skip to content


SMOKEDHAM is a Powershell-based .NET backdoor that was first reported in May 2021; it has been used by at least one ransomware-as-a-service affiliate.21

Item Value
ID S0649
Associated Names
Version 1.2
Created 22 September 2021
Last Modified 14 April 2023
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account SMOKEDHAM has used net.exe user and net.exe users to enumerate local accounts on a compromised host.1
enterprise T1098 Account Manipulation SMOKEDHAM has added user accounts to local Admin groups.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder SMOKEDHAM has used reg.exe to create a Registry Run key.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell SMOKEDHAM can execute Powershell commands sent from its C2 server.1
enterprise T1136 Create Account -
enterprise T1136.001 Local Account SMOKEDHAM has created user accounts.1
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding SMOKEDHAM has encoded its C2 traffic with Base64.1
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography SMOKEDHAM has encrypted its C2 traffic with RC4.1
enterprise T1041 Exfiltration Over C2 Channel SMOKEDHAM has exfiltrated data to its C2 server.1
enterprise T1564 Hide Artifacts -
enterprise T1564.002 Hidden Users SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. 1
enterprise T1105 Ingress Tool Transfer SMOKEDHAM has used Powershell to download UltraVNC and Ngrok from third-party file sharing sites.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging SMOKEDHAM can continuously capture keystrokes.21
enterprise T1112 Modify Registry SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.1
enterprise T1027 Obfuscated Files or Information -
enterprise T1027.009 Embedded Payloads The SMOKEDHAM source code is embedded in the dropper as an encrypted string.1
enterprise T1598 Phishing for Information -
enterprise T1598.003 Spearphishing Link SMOKEDHAM has been delivered via malicious links in phishing emails.2
enterprise T1090 Proxy -
enterprise T1090.004 Domain Fronting SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.1
enterprise T1113 Screen Capture SMOKEDHAM can capture screenshots of the victim’s desktop.21
enterprise T1082 System Information Discovery SMOKEDHAM has used the systeminfo command on a compromised host.1
enterprise T1033 System Owner/User Discovery SMOKEDHAM has used whoami commands to identify system owners.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.2
enterprise T1102 Web Service SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.2