Hikit

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise.^[1]^[2]

Type: MALWARE

Platforms: Windows

Contributors: Christopher Glyer, Mandiant, @cglyer

Version: 1.3

Created: 31 May 2017

Last Modified: 20 March 2023

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Hikit has used HTTP for C2.^[3]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Hikit has the ability to create a remote shell and run given commands.^[3]
Enterprise	T1005		Data from Local System	Hikit can upload files from compromised machines.^[1]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Hikit performs XOR encryption.^[1]
Enterprise	T1574	.001	Hijack Execution Flow: DLL Search Order Hijacking	Hikit has used DLL Search Order Hijacking to load `oci.dll` as a persistence mechanism.^[2]
Enterprise	T1105		Ingress Tool Transfer	Hikit has the ability to download files to a compromised host.^[1]
Enterprise	T1566		Phishing	Hikit has been spread through spear phishing.^[1]
Enterprise	T1090	.001	Proxy: Internal Proxy	Hikit supports peer connections.^[1]
Enterprise	T1014		Rootkit	Hikit is a Rootkit that has been used by Axiom.^[2] ^[3]
Enterprise	T1553	.004	Subvert Trust Controls: Install Root Certificate	Hikit uses `certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root` and `certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher` to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.^[3]
		.006	Subvert Trust Controls: Code Signing Policy Modification	Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.^[3]

ID	Name	References
G0001	Axiom	^[1]^[4]