{"description": "Enterprise techniques used by HOPLIGHT, ATT&CK software S0376 (v1.3)", "name": "HOPLIGHT (S0376)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) can launch cmd.exe to execute commands on the system.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has utilized Zlib compression to obfuscate the communications payload. (Citation: US-CERT HOPLIGHT Apr 2019)\t\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1652", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) can enumerate device drivers located in the registry at `HKLM\\Software\\WBEM\\WDM`.(Citation: US-CERT HOPLIGHT Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.003", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) can use WMI event subscriptions to create persistence.(Citation: US-CERT HOPLIGHT Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has used its C2 channel to exfiltrate data.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has multiple C2 channels in place in case one fails.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has been observed enumerating system drives and partitions.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has modified the firewall using [netsh](https://attack.mitre.org/software/S0108).(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has the ability to connect to a remote host in order to upload and download files.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has connected outbound over TCP port 443 with a FakeTLS method.(Citation: US-CERT HOPLIGHT Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has the capability to harvest credentials and passwords from the SAM database.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has injected into running processes.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has multiple proxy options that mask traffic between the malware and the remote operators.(Citation: US-CERT HOPLIGHT Apr 2019)\t\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "A variant of [HOPLIGHT](https://attack.mitre.org/software/S0376) hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\\CurrentControlSet\\Control\\Lsa Name.(Citation: US-CERT HOPLIGHT Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has been observed collecting victim machine information like OS version, volume information, and more.(Citation: US-CERT HOPLIGHT Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has used svchost.exe to execute a malicious DLL .(Citation: US-CERT HOPLIGHT Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has been observed collecting system time from victim machines.(Citation: US-CERT HOPLIGHT Apr 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has been observed loading several APIs associated with Pass the Hash.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[HOPLIGHT](https://attack.mitre.org/software/S0376) has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.(Citation: US-CERT HOPLIGHT Apr 2019)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HOPLIGHT", "color": "#66b1ff"}]}