{"description": "Enterprise techniques used by Hikit, ATT&CK software S0009 (v1.3)", "name": "Hikit (S0009)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Hikit](https://attack.mitre.org/software/S0009) has used HTTP for C2.(Citation: FireEye HIKIT Rootkit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Hikit](https://attack.mitre.org/software/S0009) has the ability to create a remote shell and run given commands.(Citation: FireEye HIKIT Rootkit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Hikit](https://attack.mitre.org/software/S0009) can upload files from compromised machines.(Citation: Novetta-Axiom)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Hikit](https://attack.mitre.org/software/S0009) performs XOR encryption.(Citation: Novetta-Axiom)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Hikit](https://attack.mitre.org/software/S0009) has used [DLL](https://attack.mitre.org/techniques/T1574/001) to load oci.dll as a persistence mechanism.(Citation: FireEye Hikit Rootkit)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Hikit](https://attack.mitre.org/software/S0009) has the ability to download files to a compromised host.(Citation: Novetta-Axiom)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "comment": "[Hikit](https://attack.mitre.org/software/S0009) has been spread through spear phishing.(Citation: Novetta-Axiom)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[Hikit](https://attack.mitre.org/software/S0009) supports peer connections.(Citation: Novetta-Axiom)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1014", "comment": "[Hikit](https://attack.mitre.org/software/S0009) is a [Rootkit](https://attack.mitre.org/techniques/T1014) that has been used by [Axiom](https://attack.mitre.org/groups/G0001).(Citation: FireEye Hikit Rootkit) (Citation: FireEye HIKIT Rootkit Part 2) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.004", "comment": "[Hikit](https://attack.mitre.org/software/S0009) installs a self-generated certificate to the local trust store as a root CA and Trusted Publisher.(Citation: Sood and Enbody)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553.006", "comment": "[Hikit](https://attack.mitre.org/software/S0009) has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.(Citation: FireEye HIKIT Rootkit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Hikit", "color": "#66b1ff"}]}