Hi-Zor
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Hi-Zor communicates with its C2 server over HTTPS.(Citation: Fidelis INOCNATION) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
Hi-Zor creates a Registry Run key to establish persistence.(Citation: Fidelis INOCNATION) |
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell |
Hi-Zor has the ability to create a reverse shell.(Citation: Fidelis INOCNATION) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.(Citation: Fidelis Hi-Zor) |
.002 | Encrypted Channel: Asymmetric Cryptography |
Hi-Zor encrypts C2 traffic with TLS.(Citation: Fidelis Hi-Zor) |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Hi-Zor deletes its RAT installer file as it executes its DLL payload file.(Citation: Fidelis INOCNATION) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Hi-Zor uses various XOR techniques to obfuscate its components.(Citation: Fidelis INOCNATION) |
Enterprise | T1218 | .010 | System Binary Proxy Execution: Regsvr32 |
Hi-Zor executes using regsvr32.exe called from the Registry Run Keys / Startup Folder persistence mechanism.(Citation: Fidelis INOCNATION) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.