S0018: Sykipot
Analyst context for executives and security teams
Sykipot is a Windows malware family documented by ATT&CK as used in spearphishing campaigns since about 2007, with one reported variant targeting smart cards. Its defensive significance is not just malware removal: the mapped behaviors point to host and network discovery, persistence, process injection, credential collection, MFA/smart-card interception, and encrypted command-and-control. For leaders, this makes Sykipot a useful test case for whether endpoint, identity, and SOC programs can recognize post-compromise discovery and credential risk after an initial phishing-led intrusion.
Executive priority
Prioritize Sykipot-related validation where Windows endpoints, domain accounts, smart-card or MFA-backed access, and sensitive internal networks intersect. The business question is whether existing controls can produce evidence quickly enough to answer: what system was compromised, what accounts or MFA mechanisms may be exposed, what internal systems were enumerated, and whether persistence or encrypted command-and-control was established. Because ATT&CK provides no official detection text for this malware object, coverage should be proven through telemetry and technique-level detections rather than assumed from malware naming alone.
Technical view
SOC and IR teams should validate coverage against the related ATT&CK behaviors: System Service Discovery, System Network Configuration Discovery, Remote System Discovery, System Network Connections Discovery, DLL Injection, Keylogging, Process Discovery, Domain Account Discovery, MFA Interception, Registry Run Keys/Startup Folder persistence, and Asymmetric Cryptography for C2. On Windows, focus on process creation, command-line activity, registry autoruns, module/DLL load and injection indicators, account and domain enumeration, smart-card or MFA interaction evidence where available, and outbound network sessions that may be encrypted outside normal application patterns. Treat detections as behavior-led; the supplied ATT&CK object does not include official indicators or detection logic.
Likely telemetry
- Windows endpoint process creation and command-line logs
- Windows registry autorun and Startup Folder change events
- Endpoint security telemetry for DLL/module loads and process injection behavior
- Authentication, domain account enumeration, and directory service logs
- Smart-card or MFA-related authentication events where deployed
Detection direction
- Validate technique-level analytics for discovery commands and API/tool use rather than relying on a Sykipot malware signature alone.
- Tune for suspicious combinations: spearphishing-adjacent endpoint execution followed by service, process, network, remote system, or domain account discovery.
- Review autorun persistence detections for user-context Run keys and Startup Folder changes on Windows systems.
- Confirm visibility into process injection/DLL injection behaviors and reduce false positives by baselining legitimate security, management, and productivity software.
- For environments using smart cards or MFA, confirm that authentication logs can support investigation of interception or abnormal use; do not assume MFA events alone prove compromise.
Mitigation priorities
- Harden phishing resistance and endpoint execution controls for Windows users most likely to access sensitive systems.
- Ensure least privilege and account segmentation limit the value of domain account discovery and captured credentials.
- Protect smart-card and MFA workflows with strong endpoint hygiene, monitoring, and rapid credential revocation procedures when compromise is suspected.
- Restrict and monitor autorun persistence locations, especially Run keys and Startup Folder paths.
- Maintain EDR or equivalent endpoint visibility for process, registry, module, and network activity needed for incident reconstruction.
Analyst notes and limits
The ATT&CK object identifies Sykipot as Windows malware used in spearphishing campaigns and notes a smart-card-hijacking variant. Relationship context supplies the most useful defensive direction: discovery, credential access, persistence, injection, and command-and-control behaviors. This take intentionally emphasizes validation of those behaviors because the malware object itself has no official detection guidance.
The supplied ATT&CK fields do not provide official detection text, indicators of compromise, current activity status, specific victim exposure, or complete procedure details for each related technique. Local environment telemetry, identity architecture, smart-card/MFA deployment details, and endpoint baselines are required to determine actual risk and coverage.
Sykipot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1007 | System Service Discovery | Sykipot may use |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Sykipot uses SSL for encrypting C2 communications.CitationBlasco 2013 |
| Enterprise | T1111 | Multi-Factor Authentication Interception | Sykipot is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens.CitationAlienvault Sykipot DOD Smart Cards |
| Enterprise | T1087.002 | Domain Account Sub-technique | Sykipot may use |
| Enterprise | T1057 | Process Discovery | Sykipot may gather a list of running processes by running |
| Enterprise | T1056.001 | Keylogging Sub-technique | Sykipot contains keylogging functionality to steal passwords.CitationAlienvault Sykipot DOD Smart Cards |
| Enterprise | T1018 | Remote System Discovery | Sykipot may use |
| Enterprise | T1049 | System Network Connections Discovery | Sykipot may use |
| Enterprise | T1016 | System Network Configuration Discovery | Sykipot may use |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Sykipot has been known to establish persistence by adding programs to the Run Registry key.CitationBlasco 2013 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | Sykipot injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe.CitationAlienVault Sykipot 2011 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 339f79b7b7d4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Alienvault Sykipot DOD Smart Cards
Blasco, J. (2012, January 12). Sykipot variant hijacks DOD and Windows smart cards. Retrieved January 10, 2016.
Open source URL -
[2]
Blasco 2013
Blasco, J. (2013, March 21). New Sykipot developments [Blog]. Retrieved November 12, 2014.
Open source URL -
[3]
mitre-attack S0018Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.