HOPLIGHT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
HOPLIGHT has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.[1] |
|
| Enterprise | T1546 | .003 | 事件触发执行: Windows Management Instrumentation Event Subscription |
HOPLIGHT can use WMI event subscriptions to create persistence.[1] |
| Enterprise | T1090 | 代理 |
HOPLIGHT has multiple proxy options that mask traffic between the malware and the remote operators.[1] |
|
| Enterprise | T1550 | .002 | 使用备用认证材料: Pass the Hash |
HOPLIGHT has been observed loading several APIs associated with Pass the Hash.[1] |
| Enterprise | T1112 | 修改注册表 |
HOPLIGHT has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system.[1] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
HOPLIGHT can launch cmd.exe to execute commands on the system.[1] |
| Enterprise | T1008 | 回退信道 |
HOPLIGHT has multiple C2 channels in place in case one fails.[1] |
|
| Enterprise | T1562 | .004 | 妨碍防御: Disable or Modify System Firewall | |
| Enterprise | T1003 | .002 | 操作系统凭证转储: Security Account Manager |
HOPLIGHT has the capability to harvest credentials and passwords from the SAM database.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
HOPLIGHT has utilized Zlib compression to obfuscate the communications payload. [1] |
| Enterprise | T1083 | 文件和目录发现 |
HOPLIGHT has been observed enumerating system drives and partitions.[1] |
|
| Enterprise | T1012 | 查询注册表 |
A variant of HOPLIGHT hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key |
|
| Enterprise | T1082 | 系统信息发现 |
HOPLIGHT has been observed collecting victim machine information like OS version, volume information, and more.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
HOPLIGHT has been observed collecting system time from victim machines.[1] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
HOPLIGHT has used svchost.exe to execute a malicious DLL .[1] |
| Enterprise | T1652 | 设备驱动程序探测 |
HOPLIGHT can enumerate device drivers located in the registry at |
|
| Enterprise | T1105 | 输入工具传输 |
HOPLIGHT has the ability to connect to a remote host in order to upload and download files.[1] |
|
| Enterprise | T1055 | 进程注入 | ||
| Enterprise | T1041 | 通过C2信道渗出 | ||
| Enterprise | T1571 | 非标准端口 |
HOPLIGHT has connected outbound over TCP port 443 with a FakeTLS method.[1] |
|