S0649: SMOKEDHAM
Analyst context for executives and security teams
SMOKEDHAM matters because it represents a Windows PowerShell/.NET backdoor with behavior that spans execution, persistence, discovery, credential collection, command-and-control, tool transfer, and exfiltration patterns. MITRE notes it has been used by at least one ransomware-as-a-service affiliate, so the defensive value is less about a single malware name and more about validating whether the organization can see and contain a PowerShell-enabled intrusion path before it supports data theft, persistence, or ransomware follow-on activity.
Executive priority
Treat SMOKEDHAM as a test case for ransomware-readiness and Windows endpoint visibility. Leaders should ask whether security teams can prove coverage for suspicious PowerShell activity, registry-based persistence, local account and group changes, user discovery, screen/keylogging-style collection indicators, and web-based C2/exfiltration. The priority is business resilience: if these behaviors are not logged, retained, and triaged reliably, incident responders may struggle to determine scope, credential exposure, and whether data left the environment.
Technical view
ATT&CK does not provide object-specific detection guidance for SMOKEDHAM, but the relationship set gives clear validation targets. SOC and IR teams should focus on Windows telemetry for PowerShell execution, .NET/script artifacts, embedded payload patterns, registry modification and Run Key persistence, local account creation or group membership changes, system/user discovery commands, and outbound web traffic consistent with C2, web services, domain fronting, standard encoding, symmetric encryption, ingress tool transfer, or exfiltration over the C2 channel. Because the object is described as a PowerShell-based .NET backdoor, endpoint process, script, registry, identity, and network evidence should be correlated rather than reviewed in isolation.
Likely telemetry
- Windows endpoint process creation and command-line telemetry, especially PowerShell and child processes
- PowerShell script block, module, and transcript logging where enabled
- Windows Registry auditing for Run Keys, startup locations, and other persistence-related modifications
- Local account creation, local/domain group membership changes, and hidden or unusual account indicators
- Authentication and identity logs tied to newly created or modified accounts
Detection direction
- Validate that PowerShell logging is enabled, centrally collected, and retained long enough to support ransomware investigations.
- Tune detections around suspicious PowerShell execution chains, encoded content, unusual .NET loading, embedded payload behavior, and PowerShell launching network or persistence actions.
- Correlate registry Run Key/startup changes with the creating process and user context; avoid treating registry alerts as standalone evidence.
- Monitor local account creation and group additions, especially when paired with PowerShell, registry changes, or remote access activity.
- Review outbound web traffic for mismatches or anomalies consistent with web protocols, web services, domain fronting, encoded payloads, or encrypted C2; account for high false-positive potential from normal SaaS/CDN traffic.
Mitigation priorities
- Prioritize PowerShell hardening and monitoring on Windows systems, including reducing unnecessary script execution and improving logging visibility.
- Restrict and monitor local administrator rights, local account creation, and group membership changes to reduce persistence and privilege-escalation opportunities.
- Harden registry persistence locations through least privilege, change monitoring, and response playbooks for suspicious Run Key/startup modifications.
- Control egress paths and inspect web proxy/DNS/TLS metadata where appropriate to improve visibility into web-based C2 and exfiltration patterns.
- Strengthen phishing-link resilience with user reporting, email/web filtering, and rapid investigation workflows, since related behavior includes malicious and spearphishing links.
Analyst notes and limits
The official object identifies SMOKEDHAM as a PowerShell-based .NET backdoor first reported in May 2021 and cites FireEye reporting, including use by at least one ransomware-as-a-service affiliate. ATT&CK tactics are not specified for the malware object itself, so practical guidance is derived from the supplied technique relationships. The strongest defensive use is as a coverage review across Windows endpoint monitoring, identity change auditing, persistence detection, and web-based C2/exfiltration visibility.
No official detection text, aliases, labels, or object-level tactics were supplied. Several related techniques list platforms beyond Windows, but the SMOKEDHAM object itself is supplied only with Windows as its platform; platform conclusions should therefore remain Windows-focused. Local environment baselines, logging configuration, retention, and EDR/proxy capabilities are required to determine actual detection coverage.
SMOKEDHAM
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | SMOKEDHAM has encrypted its C2 traffic with RC4.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1564.002 | Hidden Users Sub-technique | SMOKEDHAM has modified the Registry to hide created user accounts from the Windows logon screen. CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | SMOKEDHAM has encoded its C2 traffic with Base64.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1136.001 | Local Account Sub-technique | SMOKEDHAM has created user accounts.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1112 | Modify Registry | SMOKEDHAM has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | SMOKEDHAM has added user accounts to local Admin groups.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1102 | Web Service | SMOKEDHAM has used Google Drive and Dropbox to host files downloaded by victims via malicious links.CitationFireEye Shining A Light on DARKSIDE May 2021 |
| Enterprise | T1082 | System Information Discovery | SMOKEDHAM has used the |
| Enterprise | T1204.001 | Malicious Link Sub-technique | SMOKEDHAM has relied upon users clicking on a malicious link delivered through phishing.CitationFireEye Shining A Light on DARKSIDE May 2021 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | SMOKEDHAM has communicated with its C2 servers via HTTPS and HTTP POST requests.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1056.001 | Keylogging Sub-technique | SMOKEDHAM can continuously capture keystrokes.CitationFireEye Shining A Light on DARKSIDE May 2021CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | SMOKEDHAM has used |
| Enterprise | T1033 | System Owner/User Discovery | SMOKEDHAM has used |
| Enterprise | T1598.003 | Spearphishing Link Sub-technique | SMOKEDHAM has been delivered via malicious links in phishing emails.CitationFireEye Shining A Light on DARKSIDE May 2021 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | SMOKEDHAM has exfiltrated data to its C2 server.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1027.009 | Embedded Payloads Sub-technique | The SMOKEDHAM source code is embedded in the dropper as an encrypted string.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1113 | Screen Capture | SMOKEDHAM can capture screenshots of the victim’s desktop.CitationFireEye Shining A Light on DARKSIDE May 2021CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1059.001 | PowerShell Sub-technique | SMOKEDHAM can execute Powershell commands sent from its C2 server.CitationFireEye SMOKEDHAM June 2021 |
| Enterprise | T1087.001 | Local Account Sub-technique | SMOKEDHAM has used |
| Enterprise | T1090.004 | Domain Fronting Sub-technique | SMOKEDHAM has used a fronted domain to obfuscate its hard-coded C2 server domain.CitationFireEye SMOKEDHAM June 2021 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a9248c5057ce… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FireEye Shining A Light on DARKSIDE May 2021
FireEye. (2021, May 11). Shining a Light on DARKSIDE Ransomware Operations. Retrieved September 22, 2021.
Open source URL -
[2]
FireEye SMOKEDHAM June 2021
FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021.
Open source URL -
[3]
SMOKEDHAM
(Citation: FireEye Shining A Light on DARKSIDE May 2021)(Citation: FireEye SMOKEDHAM June 2021)
-
[4]
mitre-attack S0649Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.