Hikit

Hikit is malware that has been used by Axiom for late-stage persistence and exfiltration after the initial compromise. ^[1] ^[2]

Type: MALWARE

Platforms: Windows

Contributors: Christopher Glyer, FireEye, @cglyer

Version: 1.1

Created: 31 May 2017

Last Modified: 13 May 2020

Techniques Used

Domain	ID		Name	Use
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	Hikit has used HTTP for C2.^[3]
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Hikit has the ability to create a remote shell and run given commands. ^[3]
Enterprise	T1573	.001	Encrypted Channel: Symmetric Cryptography	Hikit performs XOR encryption.^[1]
Enterprise	T1574	.001	Hijack Execution Flow: DLL Search Order Hijacking	Hikit has used DLL Search Order Hijacking to load `oci.dll` as a persistence mechanism.^[2]
Enterprise	T1090	.001	Proxy: Internal Proxy	Hikit supports peer connections.^[1]
Enterprise	T1014		Rootkit	Hikit is a Rootkit that has been used by Axiom.^[2] ^[3]
Enterprise	T1553	.004	Subvert Trust Controls: Install Root Certificate	Hikit uses `certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root` and `certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher` to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.^[3]

ID	Name	References
G0001	Axiom	^[1]