S0009: Hikit
Analyst context for executives and security teams
Hikit matters because ATT&CK describes it as Windows malware used for late-stage persistence and exfiltration after an initial compromise. For leaders, the key issue is not initial infection alone but whether the organization can find a deeply embedded, stealthy foothold before data collection, command-and-control, proxying, and exfiltration mature into a larger incident.
Executive priority
Prioritize Hikit as a resilience and incident-readiness scenario: assume a compromised Windows host may already be past initial access and operating with rootkit-style stealth. Executives should ask whether teams can produce evidence for endpoint integrity, suspicious command execution, unexpected certificate or code-signing policy changes, internal proxy behavior, tool transfer, and outbound web-based command-and-control. This is especially relevant for organizations that need defensible audit evidence around monitoring, incident response, and protection of sensitive local data.
Technical view
ATT&CK provides no direct detection text for Hikit, so validation should be driven by the linked behaviors: Data from Local System, Rootkit, Windows Command Shell, Web Protocols, Internal Proxy, Ingress Tool Transfer, Install Root Certificate, Code Signing Policy Modification, Phishing, Symmetric Cryptography, and DLL abuse. SOC and IR teams should test whether Windows endpoint telemetry, network telemetry, certificate store monitoring, code-signing policy visibility, and command-line logging can reconstruct these behaviors together rather than as isolated alerts. Because rootkit behavior can hide files, services, drivers, network connections, or processes, responders should not rely only on normal host views when investigating suspected late-stage persistence.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe activity
- Endpoint driver, service, DLL load, and module execution evidence
- File system access to sensitive local data and staging locations
- Certificate store and trusted root certificate change events
- Code-signing policy or driver signature enforcement related changes where observable
Detection direction
- Map detections to the relationship chain rather than to the malware name alone: collection, stealth/rootkit behavior, Windows shell execution, web C2, internal proxying, tool transfer, certificate trust changes, code-signing policy modification, phishing, encrypted C2, and DLL abuse.
- Validate that endpoint and network controls can correlate a Windows host showing unusual command execution with suspicious web traffic, tool ingress, local data access, or proxy behavior.
- Treat rootkit-related findings as high-investigation value because normal OS-level enumeration may be incomplete or manipulated.
- Tune web-protocol detections carefully: HTTP/S is common, so focus on unusual destinations, host roles, timing, proxy patterns, and correlation with endpoint behaviors rather than protocol use alone.
- Review false positives for administrative tooling, software deployment, certificate management, and legitimate DLL loading, but require change records or owner confirmation for sensitive trust and signing policy changes.
Mitigation priorities
- Start with incident response readiness: define escalation paths for suspected late-stage persistence or rootkit activity on Windows systems.
- Harden and monitor Windows endpoints for unauthorized driver/service/DLL activity and unexpected command-shell execution.
- Restrict and audit changes to trusted root certificates and code-signing policy controls.
- Limit unnecessary outbound web access and monitor internal proxy or traffic redirection behavior between compromised hosts.
- Maintain phishing defenses and user-reporting workflows because ATT&CK relationships include phishing as an associated initial-access behavior.
Analyst notes and limits
The supplied ATT&CK object identifies Hikit as malware used by Axiom for late-stage persistence and exfiltration after initial compromise. The relationship set provides the best defensive context: it connects Hikit to Windows command execution, rootkit stealth, local data collection, web-based and encrypted command-and-control, internal proxying, tool transfer, certificate trust changes, code-signing policy modification, phishing, and DLL abuse. These relationships support a behavior-based detection and response model rather than signature-only coverage.
ATT&CK does not provide official detection guidance for this object, and the object itself lists Windows as the platform while several related techniques have broader platform coverage. This take does not assume current activity, sector exposure, or guaranteed detectability. Local validation is required to determine whether relevant endpoint, network, certificate, code-signing, email, and identity telemetry is actually collected and retained.
Hikit
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1566 | Phishing | Hikit has been spread through spear phishing.CitationNovetta-Axiom |
| Enterprise | T1574.001 | DLL Sub-technique | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Hikit performs XOR encryption.CitationNovetta-Axiom |
| Enterprise | T1553.006 | Code Signing Policy Modification Sub-technique | Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.CitationFireEye HIKIT Rootkit Part 2 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Hikit has the ability to create a remote shell and run given commands.CitationFireEye HIKIT Rootkit Part 2 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Hikit has used HTTP for C2.CitationFireEye HIKIT Rootkit Part 2 |
| Enterprise | T1553.004 | Install Root Certificate Sub-technique | Hikit installs a self-generated certificate to the local trust store as a root CA and Trusted Publisher.CitationSood and Enbody |
| Enterprise | T1014 | Rootkit | |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | Hikit supports peer connections.CitationNovetta-Axiom |
| Enterprise | T1005 | Data from Local System | Hikit can upload files from compromised machines.CitationNovetta-Axiom |
| Enterprise | T1105 | Ingress Tool Transfer | Hikit has the ability to download files to a compromised host.CitationNovetta-Axiom |
Groups, software, and campaigns
G0001: Axiom
Axiom is a suspected Chinese cyber espionage group that has targeted the aerospace, defense, government, manufacturing, and media sectors since at least 2008. Some reporting suggests a degree of overlap between Axiom and Winnti Group but the two groups appear to be distinct based on differences in reporting on TTPs and targeting.[1][2][3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 06fedead2abd… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Novetta-Axiom
Novetta. (n.d.). Operation SMN: Axiom Threat Actor Group Report. Retrieved November 12, 2014.
Open source URL -
[2]
FireEye Hikit Rootkit
Glyer, C., Kazanciyan, R. (2012, August 20). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 1). Retrieved November 17, 2024.
Open source URL -
[3]
mitre-attack S0009Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.