{"description": "Enterprise techniques used by HermeticWizard, ATT&CK software S0698 (v1.1)", "name": "HermeticWizard (S0698)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can use a list of hardcoded credentials in attempt to authenticate to SMB shares.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can use `cmd.exe` for execution on compromised hosts.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) has the ability to use `wevtutil cl system` to clear event logs.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can execute files on remote machines using DCOM.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1570", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can copy files to other machines on a compromised network.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) has been named `exec_32.dll` to mimic a legitimate MS Outlook .dll.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can connect to remote shares using `WNetAddConnection2W`.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) has the ability to scan ports on a compromised network.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) has the ability to encrypt PE files with a reverse XOR loop.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can find machines on the local network by gathering known local IP addresses through `DNSGetCacheDataTable`, `GetIpNetTable`,`WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY)`,`NetServerEnum`,`GetTcpTable`, and `GetAdaptersAddresses.`(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) has been signed by valid certificates assigned to Hermetica Digital.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) has used `regsvr32.exe /s /i` to execute malicious payloads.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) has the ability to create a new process using `rundll32`.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can use `OpenRemoteServiceManager` to create a service.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[HermeticWizard](https://attack.mitre.org/software/S0698) can use WMI to create a new process on a remote machine via `C:\\windows\\system32\\cmd.exe /c start C:\\windows\\system32\\\\regsvr32.exe /s /iC:\\windows\\.dll`.(Citation: ESET Hermetic Wizard March 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HermeticWizard", "color": "#66b1ff"}]}