S0391: HAWKBALL
Analyst context for executives and security teams
HAWKBALL is a Windows backdoor documented by ATT&CK as observed against the government sector in Central Asia, with the supplied reference describing delivery via Microsoft Office vulnerabilities. Its ATT&CK relationships make it business-relevant because it combines initial client-side execution, Windows command execution, discovery, web-protocol command-and-control, collection, exfiltration over C2, obfuscation, and file deletion. For leaders, the key issue is not the malware name itself, but whether endpoint, network, vulnerability, and incident response programs can prove they would see and contain this pattern of activity.
Executive priority
Prioritize HAWKBALL as a readiness use case for Windows endpoint compromise involving vulnerable client applications, backdoor communications over common web protocols, and potential data loss over the same C2 channel. Executives should ask whether Microsoft Office/client application patching is measurable, whether SOC teams can correlate suspicious document-driven execution with outbound web traffic and discovery commands, and whether IR teams can preserve evidence when malware deletes files. This supports resilience, audit evidence, and risk-based control prioritization without assuming current exposure or active exploitation.
Technical view
Validate coverage around the supplied Windows-focused behavior chain: exploitation for client execution, Dynamic Data Exchange, Windows Command Shell, Native API usage, system and user discovery, encoded/encrypted files, custom archiving, web-protocol C2, exfiltration over C2, and file deletion. Since ATT&CK provides no official detection text for HAWKBALL, detection engineering should map analytics to these related techniques rather than relying on a malware-specific signature. Focus on correlations such as Office or document-handling processes spawning cmd.exe, unusual discovery activity, suspicious encoded or encrypted artifacts, unexpected archive-like data preparation, outbound HTTP/S-like communications from endpoints, and subsequent cleanup or file deletion.
Likely telemetry
- Windows endpoint process creation and parent-child process lineage, especially client applications and cmd.exe
- Endpoint file creation, modification, deletion, and evidence of encoded/encrypted or archive-like artifacts
- Windows command-line telemetry for user and system discovery activity
- Network proxy, DNS, firewall, and web traffic metadata for outbound web-protocol communications
- EDR or host telemetry showing Native API-adjacent process, memory, or file behaviors where available
Detection direction
- Build or validate behavior-based detections mapped to the related ATT&CK techniques rather than depending on HAWKBALL-specific indicators, because no official detection guidance is supplied.
- Tune for suspicious Office/client-application execution chains, including document-handling processes invoking command shell or triggering DDE-like execution behavior; account for legitimate automation to reduce false positives.
- Correlate endpoint discovery commands with outbound web-protocol traffic to identify possible backdoor tasking and exfiltration over the same channel.
- Review network monitoring blind spots where HTTP/S-like traffic from endpoints is allowed but not inspected, logged, or tied back to process context.
- Include file deletion and artifact cleanup in alert triage so responders do not treat missing dropped files as absence of compromise.
Mitigation priorities
- Keep Windows client applications, including Microsoft Office where applicable, under strong vulnerability and patch management because the supplied reference describes delivery via Office vulnerabilities and the object relates to client exploitation.
- Harden document execution paths and restrict risky inter-process or command execution behavior where business operations allow, including controls relevant to DDE and command shell abuse.
- Apply least privilege and endpoint hardening to reduce the value of successful client-side execution and limit follow-on command execution.
- Ensure egress controls, proxy logging, and web traffic governance can support investigation of command-and-control and exfiltration over web protocols.
- Maintain endpoint logging retention and IR evidence preservation procedures to handle cases where malware or operators delete files.
Analyst notes and limits
The strongest decision value comes from the relationships: HAWKBALL is linked to execution, discovery, stealth, collection, command-and-control, and exfiltration behaviors. The official ATT&CK object identifies it as a Windows backdoor and the external reference notes government-sector targeting in Central Asia and Microsoft Office vulnerability delivery. Treat this as a scenario for validating Windows endpoint, web telemetry, patch management, and IR readiness, not as proof of current activity in any specific environment.
ATT&CK provides no official detection text, no aliases, no tactics directly on the malware object, and no indicators of compromise in the supplied fields. The object’s platform is Windows, while some related techniques list broader platforms; this take does not extend HAWKBALL itself beyond Windows. Local telemetry, asset exposure, vulnerability status, and business process context are required to determine actual risk and detection coverage.
HAWKBALL
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1559.002 | Dynamic Data Exchange Sub-technique | HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | HAWKBALL has encrypted the payload with an XOR-based algorithm.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1082 | System Information Discovery | HAWKBALL can collect the OS version, architecture information, and computer name.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1033 | System Owner/User Discovery | HAWKBALL can collect the user name of the system.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | HAWKBALL has sent system information and files over the C2 channel.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | HAWKBALL has encrypted data with XOR before sending it over the C2 channel.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1203 | Exploitation for Client Execution | HAWKBALL has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HAWKBALL has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | HAWKBALL has the ability to delete files.CitationFireEye HAWKBALL Jun 2019 |
| Enterprise | T1106 | Native API | HAWKBALL has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity.CitationFireEye HAWKBALL Jun 2019 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | ade9db1d24ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye HAWKBALL Jun 2019
Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019.
Open source URL -
[2]
HAWKBALL
(Citation: FireEye HAWKBALL Jun 2019)
-
[3]
mitre-attack S0391Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.