G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
Analyst context for executives and security teams
HEXANE matters because ATT&CK tracks it as an espionage group targeting oil and gas, telecommunications, aviation, and internet service provider organizations in the Middle East and Africa since at least 2017. For leaders, the practical issue is not just the group name: the mapped behavior emphasizes credential access, discovery, remote access, PowerShell/post-exploitation frameworks, and Windows backdoors, which can turn a single compromised endpoint into broader intelligence loss and operational exposure in critical sectors.
Executive priority
Prioritize this as a readiness and evidence question: can the organization prove it would see credential dumping, suspicious PowerShell, RDP-based lateral movement, scheduled task persistence, unusual DNS/network activity, and commodity or custom backdoor behavior? For critical infrastructure and service-provider environments, the decision value is validating identity controls, segmentation, SOC telemetry depth, and incident-response playbooks before an espionage intrusion becomes prolonged undetected access.
Technical view
ATT&CK provides no official detection text for HEXANE, so defenders should validate coverage from the related software and techniques. Focus on Windows-heavy behaviors supported by the relationships: Mimikatz, BITSAdmin, PowerShell, scheduled tasks, RDP, discovery utilities such as ping, ipconfig, and netstat, and backdoors including DanBot, Milan, Shark, Kevin, and DnsSystem. SOC content should correlate otherwise-common admin utilities with suspicious parent processes, unusual execution context, command obfuscation, credential-access signals, persistence artifacts, and external network or DNS patterns. Treat Empire and PoshC2 as post-exploitation framework coverage requirements across Windows, Linux, and macOS where those platforms exist in the environment.
Likely telemetry
- Endpoint process creation and command-line telemetry, especially for PowerShell, ping, ipconfig, netstat, BITSAdmin, and scheduled task activity
- Windows security logs and authentication events relevant to RDP use, account logons, privilege use, and lateral movement
- PowerShell script block/module/transcription logging where enabled
- EDR or host telemetry for credential dumping behavior associated with Mimikatz-style activity
- Task Scheduler and BITS job creation/modification records
Detection direction
- Do not rely on single-command alerts for ping, ipconfig, netstat, or process/user discovery; tune for sequences, abnormal hosts, unusual users, rare parent processes, and execution after suspected initial access.
- Validate detection of obfuscated commands and PowerShell execution rather than only known hashes or tool names, because related frameworks can be publicly available or modified.
- Correlate RDP activity with valid-account risk indicators such as unusual source/destination pairs, first-time administrative access, off-hours use, and follow-on discovery or credential access.
- Test visibility into scheduled task and BITSAdmin usage, since both can blend with legitimate Windows administration.
- Ensure DNS and egress monitoring can support investigation of DnsSystem-like backdoor behavior without assuming DNS traffic is benign.
Mitigation priorities
- Harden identity first: enforce strong authentication for remote access, reduce standing administrative privilege, and review accounts permitted to use RDP.
- Reduce lateral movement paths through segmentation, especially between user networks, server environments, and critical service-provider or operationally sensitive systems.
- Enable and retain endpoint, PowerShell, authentication, DNS, and network telemetry needed to investigate the mapped behaviors.
- Constrain and monitor administrative utilities such as PowerShell, BITSAdmin, Task Scheduler, and RDP according to business need.
- Apply credential-protection practices and rapid credential rotation procedures for suspected credential dumping or keylogging incidents.
Analyst notes and limits
The strongest decision-useful signal in the supplied ATT&CK data is the combination of targeted critical sectors/geographies and relationships to credential dumping, discovery, RDP, PowerShell, scheduled tasks, BITSAdmin, and multiple Windows backdoors. The group is also associated with aliases Lyceum, Siamesekitten, and Spirlin. Similarity to APT33 and OilRig is noted by ATT&CK, but the supplied description says HEXANE is tracked separately due to differences in victims and tools.
ATT&CK does not provide official detection guidance, group-level platforms, or group-level tactics for this object. Relationship descriptions include platform details for related tools and techniques, but they do not prove activity in any specific local environment. This take should be used to prioritize validation and hunting, not to assert current exploitation, attribution, or confirmed detection coverage.
HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1555 | Credentials from Password Stores | HEXANE has run `cmdkey` on victim machines to identify stored credentials.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | HEXANE has used Base64-encoded scripts.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1589 | Gather Victim Identity Information | HEXANE has identified specific potential victims at targeted organizations.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1082 | System Information Discovery | HEXANE has collected the hostname of a compromised machine.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1583.001 | Domains Sub-technique | HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.CitationSecureWorks August 2019CitationDragos HexaneCitationClearSky Siamesekitten August 2021 |
| Enterprise | T1110 | Brute Force | HEXANE has used brute force attacks to compromise valid credentials.CitationSecureWorks August 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | HEXANE has used a scheduled task to establish persistence for a keylogger.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | HEXANE has relied on victim's executing malicious file attachments delivered via email or embedded within actor-controlled websites to deliver malware.CitationSecureWorks August 2019CitationDragos HexaneCitationClearSky Siamesekitten August 2021CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | HEXANE has used cloud services, including OneDrive, for data exfiltration.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | HEXANE has established fraudulent LinkedIn accounts impersonating HR department employees to target potential victims with fake job offers.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | |
| Enterprise | T1546.003 | Windows Management Instrumentation Event Subscription Sub-technique | HEXANE has used WMI event subscriptions for persistence.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1069.001 | Local Groups Sub-technique | HEXANE has run `net localgroup` to enumerate local groups.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1018 | Remote System Discovery | HEXANE has used `net view` to enumerate domain machines.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | HEXANE has used remote desktop sessions for lateral movement.CitationSecureWorks August 2019 |
| Enterprise | T1586.002 | Email Accounts Sub-technique | HEXANE has used compromised accounts to send spearphishing emails.CitationSecureWorks August 2019 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | HEXANE has used password spraying attacks to obtain valid credentials.CitationSecureWorks August 2019 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | HEXANE has used cloud services, including OneDrive, for C2.CitationMicrosoft POLONIUM June 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | |
| Enterprise | T1059.001 | PowerShell Sub-technique | HEXANE has used PowerShell-based tools and scripts for discovery and collection on compromised hosts.CitationSecureWorks August 2019CitationKaspersky APT Trends Q1 April 2021CitationKaspersky Lyceum October 2021 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | HEXANE has staged malware on fraudulent websites set up to impersonate targeted organizations.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1589.002 | Email Addresses Sub-technique | HEXANE has targeted executives, human resources staff, and IT personnel for spearphishing.CitationSecureWorks August 2019CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | HEXANE has established email accounts for use in domain registration including for ProtonMail addresses.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1033 | System Owner/User Discovery | HEXANE has run `whoami` on compromised machines to identify the current user.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | HEXANE has downloaded additional payloads and malicious scripts onto a compromised host.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1049 | System Network Connections Discovery | |
| Enterprise | T1057 | Process Discovery | HEXANE has enumerated processes on targeted systems.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1056.001 | Keylogging Sub-technique | HEXANE has used a PowerShell-based keylogger named `kl.ps1`.CitationSecureWorks August 2019CitationKaspersky Lyceum October 2021 |
| Enterprise | T1518 | Software Discovery | HEXANE has enumerated programs installed on an infected machine.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | HEXANE has used a VisualBasic script named `MicrosoftUpdator.vbs` for execution of a PowerShell keylogger.CitationKaspersky Lyceum October 2021 |
| Enterprise | T1010 | Application Window Discovery | HEXANE has used a PowerShell-based keylogging tool to capture the window title.CitationSecureWorks August 2019 |
| Enterprise | T1591.004 | Identify Roles Sub-technique | HEXANE has identified executives, HR, and IT staff at victim organizations for further targeting.CitationSecureWorks August 2019CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1583.002 | DNS Server Sub-technique | HEXANE has set up custom DNS servers to send commands to compromised hosts via TXT records.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1534 | Internal Spearphishing | HEXANE has conducted internal spearphishing attacks against executives, HR, and IT personnel to gain information and access.CitationSecureWorks August 2019 |
Groups, software, and campaigns
S1015: Milan
S0097: Ping
S0104: netstat
S0190: BITSAdmin
S1019: Shark
S1021: DnsSystem
S1014: DanBot
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0100: ipconfig
S0002: Mimikatz
S1020: Kevin
S0378: PoshC2
PoshC2 is an open source remote administration and post-exploitation framework that is publicly available on GitHub. The server-side components of the tool are primarily written in Python, while the implants are written in PowerShell. Although PoshC2 is primarily focused on Windows implantation, it does contain a basic Python dropper for Linux/macOS.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.3 | Current bundle | 00d73bce12ef… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Dragos Hexane
Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
Open source URL -
[2]
Kaspersky Lyceum October 2021
Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022.
Open source URL -
[3]
ClearSky Siamesekitten August 2021
ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
Open source URL -
[4]
Accenture Lyceum Targets November 2021
Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022.
Open source URL -
[5]
Lyceum
(Citation: SecureWorks August 2019)
-
[6]
SecureWorks August 2019
SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
Open source URL -
[7]
Siamesekitten
(Citation: ClearSky Siamesekitten August 2021)
-
[8]
Spirlin
(Citation: Accenture Lyceum Targets November 2021)
-
[9]
mitre-attack G1001Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.