{"description": "Enterprise techniques used by HiddenFace, ATT&CK software S9023 (v1.0)", "name": "HiddenFace (S9023)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1005", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can upload files from the victim machine to C2 nodes.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) has the ability to decrypt its payload prior to execution.(Citation: ESET HiddenFace 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1686", "showSubtechniques": true}, {"techniqueID": "T1686.003", "comment": " [HiddenFace](https://attack.mitre.org/software/S9023) can reconfigure Windows firewalls to enable communication by adding a rule named \u201cCortana\u201d to allow inbound connection to TCP/47000.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) has used dynamic domain generation algorithms in C2.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: Trend Micro Earth Kasha Updates APR 2025)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": " [HiddenFace](https://attack.mitre.org/software/S9023) can use a randomly selected symmetric encryption algorithm for C2.(Citation: ESET HiddenFace 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can use RSA-2048 in addition to symmetric algorithms in C2.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can check for the presence of specific analysis tools and will terminate itself if they are found.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1480.002", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can create a mutex to ensure only one instance is running at a time.(Citation: ESET HiddenFace 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) has exploited vulnerabilities in FortiOS/FortiProxy devices for initial access.(Citation: ESET HiddenFace 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can use active and passive C2 modes that use different encryption algorithms and backdoor commands.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": " [HiddenFace](https://attack.mitre.org/software/S9023) can alter timestamps for directory content on targeted machines.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can download files from the C2 to victim systems.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can store its configuration file in the Registry.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can use a custom TCP protocol over Port 443 for C2.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023)'s passive mode listens on TCP 47000.(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can dynamically resolve Windows APIs.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) has encrypted its payload with AES.(Citation: ESET HiddenFace 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can check running processes against a list of blocklisted applications.(Citation: ESET HiddenFace 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can inject code directly into legitimate applications.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can hide its IP lookup by using DNS over HTTPS (DoH) for C2.(Citation: Trend Micro Earth Kasha Updates APR 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can act as an internal HTTP proxy within the targeted environment.(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) has used scheduled tasks for execution and persistence.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can identify processes identified with security applications and tooling.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can enumerate the hostname and username of the compromised system.(Citation: ESET HiddenFace 2024)(Citation: Trend Micro Earth Kasha NOV 2024)(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can collect the username associated with the compromised host.(Citation: ESET HiddenFace 2024)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1127", "showSubtechniques": true}, {"techniqueID": "T1127.001", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can execute a malicious XML file using MSBuild.(Citation: JPCERT MirrorFace JUL 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[HiddenFace](https://attack.mitre.org/software/S9023) can sleep randomly between 30 and 60 seconds to avoid behavioral analysis.(Citation: ESET HiddenFace 2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by HiddenFace", "color": "#66b1ff"}]}