enterprise |
T1110 |
Brute Force |
- |
enterprise |
T1110.001 |
Password Guessing |
HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares. |
enterprise |
T1059 |
Command and Scripting Interpreter |
- |
enterprise |
T1059.003 |
Windows Command Shell |
HermeticWizard can use cmd.exe for execution on compromised hosts. |
enterprise |
T1070 |
Indicator Removal |
- |
enterprise |
T1070.001 |
Clear Windows Event Logs |
HermeticWizard has the ability to use wevtutil cl system to clear event logs. |
enterprise |
T1559 |
Inter-Process Communication |
- |
enterprise |
T1559.001 |
Component Object Model |
HermeticWizard can execute files on remote machines using DCOM. |
enterprise |
T1570 |
Lateral Tool Transfer |
HermeticWizard can copy files to other machines on a compromised network. |
enterprise |
T1036 |
Masquerading |
- |
enterprise |
T1036.005 |
Match Legitimate Name or Location |
HermeticWizard has been named exec_32.dll to mimic a legitimate MS Outlook .dll. |
enterprise |
T1106 |
Native API |
HermeticWizard can connect to remote shares using WNetAddConnection2W . |
enterprise |
T1046 |
Network Service Discovery |
HermeticWizard has the ability to scan ports on a compromised network. |
enterprise |
T1027 |
Obfuscated Files or Information |
HermeticWizard has the ability to encrypt PE files with a reverse XOR loop. |
enterprise |
T1021 |
Remote Services |
- |
enterprise |
T1021.002 |
SMB/Windows Admin Shares |
HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems. |
enterprise |
T1018 |
Remote System Discovery |
HermeticWizard can find machines on the local network by gathering known local IP addresses through DNSGetCacheDataTable , GetIpNetTable ,WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY) ,NetServerEnum ,GetTcpTable , and GetAdaptersAddresses. |
enterprise |
T1553 |
Subvert Trust Controls |
- |
enterprise |
T1553.002 |
Code Signing |
HermeticWizard has been signed by valid certificates assigned to Hermetica Digital. |
enterprise |
T1218 |
System Binary Proxy Execution |
- |
enterprise |
T1218.010 |
Regsvr32 |
HermeticWizard has used regsvr32.exe /s /i to execute malicious payloads. |
enterprise |
T1218.011 |
Rundll32 |
HermeticWizard has the ability to create a new process using rundll32 . |
enterprise |
T1569 |
System Services |
- |
enterprise |
T1569.002 |
Service Execution |
HermeticWizard can use OpenRemoteServiceManager to create a service. |
enterprise |
T1047 |
Windows Management Instrumentation |
HermeticWizard can use WMI to create a new process on a remote machine via C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\<filename>.dll . |