S0246: HARDRAIN
Analyst context for executives and security teams
HARDRAIN is a Windows Trojan listed by ATT&CK with reporting from a US-CERT malware analysis report and a relationship to Lazarus Group. Its practical significance is less about a broad ATT&CK detection recipe—MITRE provides no detection text—and more about validating whether Windows endpoint and network monitoring can see the behaviors ATT&CK associates with it: command shell execution, command-and-control traffic that impersonates legitimate services, proxy use, non-standard ports, and Windows host firewall modification.
Executive priority
Treat this as a coverage validation item for Windows intrusion readiness and state-linked malware reporting, not as proof of current exposure. Leaders should ask whether SOC and incident response teams can produce evidence for suspicious command shell activity, unusual outbound network paths, protocol/port mismatches, proxy-like behavior, and unauthorized Windows firewall changes. These are control and audit-relevant questions because gaps affect containment speed, egress control confidence, and the ability to explain what happened during an incident.
Technical view
For SOC, detection engineering, and IR teams, map HARDRAIN-related coverage to the supplied ATT&CK relationships: T1059.003 Windows Command Shell, T1001.003 Protocol or Service Impersonation, T1090 Proxy, T1571 Non-Standard Port, and T1686.003 Windows Host Firewall. Because no official detection guidance is provided for the malware object, validate behavior-level detections rather than relying on a named-malware signature. Prioritize Windows endpoint process telemetry, firewall configuration change monitoring, and network telemetry capable of showing outbound destination, port, protocol characteristics, and proxy patterns.
Likely telemetry
- Windows process creation telemetry for cmd.exe and child/parent process context
- Windows command-line logging where available
- Windows host firewall rule/profile change events
- Endpoint security alerts or logs related to firewall tampering or command shell abuse
- Network connection metadata including source host, destination, port, protocol, and timing
Detection direction
- Build detections around the related behaviors, since the official HARDRAIN object provides no detection section.
- Tune Windows Command Shell monitoring for unusual parent processes, suspicious command-line use, and command execution by processes that do not normally invoke cmd.exe.
- Validate alerts for Windows host firewall rule additions, deletions, profile changes, or disabling, with allowlisting for approved administrative tooling and change windows.
- Review egress analytics for non-standard protocol and port pairings and outbound traffic that appears to impersonate legitimate services.
- Correlate possible proxy behavior with host, firewall, and network logs to distinguish sanctioned proxy infrastructure from unexpected traffic redirection.
Mitigation priorities
- Ensure Windows endpoint logging and retention are sufficient for process execution, command line, and firewall configuration changes.
- Harden and monitor Windows host firewall policy management, including alerting on unauthorized changes.
- Restrict and monitor outbound network access so non-standard ports and unexpected proxy paths are visible and reviewable.
- Maintain behavior-based detections for command-and-control evasion patterns rather than depending only on malware names or signatures.
- Prepare IR playbooks to collect endpoint process history, firewall state, and network egress evidence from affected Windows systems.
Analyst notes and limits
The ATT&CK record identifies HARDRAIN as a Trojan malware variant reportedly used by the North Korean government and includes a relationship showing Lazarus Group uses this object. The most actionable value comes from the linked techniques, especially command shell execution, C2 disguise, proxying, non-standard ports, and Windows firewall modification.
MITRE does not provide official detection text, aliases, labels, or tactics for the HARDRAIN malware object itself. The supplied platform is Windows, while some related techniques list broader platforms; defensive validation should therefore be anchored to Windows for this object unless local evidence supports additional scope. This summary does not assert active exploitation or confirmed attribution in any environment.
HARDRAIN
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1571 | Non-Standard Port | HARDRAIN binds and listens on port 443 with a FakeTLS method.CitationUS-CERT HARDRAIN March 2018 |
| Enterprise | T1090 | Proxy | HARDRAIN uses the command |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HARDRAIN uses cmd.exe to execute |
| Enterprise | T1001.003 | Protocol or Service Impersonation Sub-technique | HARDRAIN uses FakeTLS to communicate with its C2 server.CitationMAR10135536-F |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | HARDRAIN opens the Windows Firewall to modify incoming connections.CitationUS-CERT HARDRAIN March 2018 |
Groups, software, and campaigns
G0032: Lazarus Group
Lazarus Group is a North Korean state-sponsored cyber threat group attributed to the Reconnaissance General Bureau (RGB). [1] [2] Lazarus Group has been active since at least 2009 and is reportedly responsible for the November 2014 destructive wiper attack on Sony Pictures Entertainment, identified by Novetta as part of Operation Blockbuster. Malware used by Lazarus Group correlates to other reported campaigns, including Operation Flame, Operation 1Mission, Operation Troy, DarkSeoul, and Ten Days of Rain.[3]
North Korea’s cyber operations have shown a consistent pattern of adaptation, forming and reorganizing units as national priorities shift. These units frequently share personnel, infrastructure, malware, and tradecraft, making it difficult to attribute specific operations with high confidence. Public reporting often uses “Lazarus Group” as an umbrella term for multiple North Korean cyber operators conducting espionage, destructive attacks, and financially motivated campaigns.[4][5][6]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 4595d7a17b54… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
US-CERT HARDRAIN March 2018
US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018.
Open source URL -
[2]
HARDRAIN
(Citation: US-CERT HARDRAIN March 2018)
-
[3]
mitre-attack S0246Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.