{"description": "Enterprise techniques used by HeartCrypt, ATT&CK software S9018 (v1.0)", "name": "HeartCrypt (S9018)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) can set the `CurrentVersion\\Run` key to establish persistence.(Citation: Palo Alto HeartCrypt DEC 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) can use the `reg add` command via `cmd.exe` for Registry modification.(Citation: Palo Alto HeartCrypt DEC 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) can decrypt payloads prior to execution.(Citation: Palo Alto HeartCrypt DEC 2024)(Citation: Check Point Blind Eagle MAR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.008", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) can append a BMP header to encoded malicious payloads to masquerade them as BMP files.(Citation: Palo Alto HeartCrypt DEC 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) can use Windows API functions to modify the Registry and `FindResourceW`, `LoadResource`, and `LockResource` to acquire a pointer to corresponding code resources.(Citation: Palo Alto HeartCrypt DEC 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) can add several hundred thousand kilobytes of null padding to payloads before saving onto the file system.(Citation: Palo Alto HeartCrypt DEC 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) can pack malicious Windows x86 and .NET payloads in order to evade detection.(Citation: Palo Alto HeartCrypt DEC 2024)(Citation: Check Point Blind Eagle MAR 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) strings are encrypted via a single-byte XOR operation rotating over a hard-coded key, possibly provided by the PaaS customers. (Citation: Palo Alto HeartCrypt DEC 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.004", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) has the ability to use `NtQueueApcThread` as an alternate method for process injection.(Citation: Palo Alto HeartCrypt DEC 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "For .NET payloads, [HeartCrypt](https://attack.mitre.org/software/S9018) can use process hollowing to inject into processes spawned by csc.exe or AppLaunch.exe.(Citation: Palo Alto HeartCrypt DEC 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[HeartCrypt](https://attack.mitre.org/software/S9018) will attempt to load non-existent DLLs in attempt to detect sandbox creation of a dummy DLL to prevent the program from crashing.(Citation: Palo Alto HeartCrypt DEC 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HeartCrypt", "color": "#66b1ff"}]}