S0698: HermeticWizard
HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.[1]
Analyst context for executives and security teams
HermeticWizard matters because ATT&CK identifies it as a Windows worm used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022. For leaders, the key issue is not just malware detection; it is whether a Windows estate can resist and contain rapid internal propagation that uses common administration paths such as SMB/admin shares, WMI, services, command shell, and signed or proxy-executed binaries.
Executive priority
Prioritize this as a resilience and containment scenario. The supplied ATT&CK relationships point to discovery, credential guessing, lateral movement, execution through Windows administration mechanisms, obfuscation, code signing abuse, and Windows event log clearing. Executives should ask whether the organization can prove it collects the right Windows, identity, SMB, WMI, service-control, and network telemetry centrally, and whether incident responders can quickly scope lateral spread before destructive payload delivery affects business continuity.
Technical view
HermeticWizard is a Windows malware object with no ATT&CK-provided detection text, so validation should be relationship-driven. SOC and IR teams should test visibility for remote system and network service discovery, SMB/Windows Admin Share access, lateral tool transfer, WMI execution, cmd.exe execution, native API/COM activity where visible, service creation or execution, regsvr32/rundll32 proxy execution, password guessing, suspicious code-signing trust, encrypted or encoded files, legitimate-looking resource names or locations, and Windows event log clearing. Because many of these are also legitimate administration behaviors, detections should correlate sequence, source host, account context, remote target volume, and file movement rather than rely on single-event alerts.
Likely telemetry
- Windows process creation and command-line telemetry for cmd.exe, regsvr32.exe, rundll32.exe, service-control utilities, and WMI-related execution
- Windows Security, System, Application, and WMI-related event logs, preferably forwarded centrally
- SMB session, admin share, file creation, and remote file copy evidence
- Authentication logs showing failed and successful logons, especially repeated guessing patterns and remote administrative access
- Network connection and flow data that can reveal internal host discovery, service discovery, and scanning behavior
Detection direction
- Build detections around chained behavior: discovery followed by authentication attempts, SMB/admin share access, file transfer, remote execution, and log clearing.
- Tune WMI, service execution, regsvr32, rundll32, and command shell analytics against known administration baselines to reduce false positives while preserving visibility into unusual source hosts, accounts, and target fan-out.
- Validate that event forwarding survives local log clearing; T1685.005 makes local-only logs a material blind spot.
- Review allowlisting and trust decisions for signed binaries and Microsoft proxy execution utilities, since the relationships include code signing and regsvr32/rundll32 abuse.
- Hunt for lateral movement using SMB and Windows Admin Shares combined with new files appearing on multiple hosts or execution from administrative paths.
Mitigation priorities
- Start with containment controls for Windows lateral movement: restrict SMB/admin share exposure, limit remote administration paths, and segment systems where business impact would be high.
- Reduce credential risk through least privilege, strong password policy, lockout or throttling where appropriate, and tighter control of accounts allowed to administer multiple hosts.
- Harden and monitor WMI, service control, command shell, regsvr32, and rundll32 usage rather than assuming they are benign because they are native Windows components.
- Centralize security logging and protect log pipelines so Windows Event Log clearing does not erase the only evidence available to responders.
- Use application control and code-signing policy carefully, recognizing that signed code can still be abused when signing materials are acquired or misused.
Analyst notes and limits
The strongest decision value comes from the relationships: HermeticWizard is associated with techniques that form a plausible propagation chain across Windows environments. Treat it as a coverage assessment for Windows lateral movement and destructive-malware staging readiness, not as a single indicator-based detection problem.
ATT&CK provides no official detection text for this malware object, no aliases, and no malware-level tactics. The description only supports historical use to spread HermeticWiper against organizations in Ukraine since at least 2022. Local validation is required to determine exposure, telemetry coverage, detections, and applicable business risk.
HermeticWizard
HermeticWizard is a worm that has been used to spread HermeticWiper in attacks against organizations in Ukraine since at least 2022.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | HermeticWizard can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | HermeticWizard can use `cmd.exe` for execution on compromised hosts.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1553.002 | Code Signing Sub-technique | HermeticWizard has been signed by valid certificates assigned to Hermetica Digital.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1569.002 | Service Execution Sub-technique | HermeticWizard can use `OpenRemoteServiceManager` to create a service.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | HermeticWizard has been named `exec_32.dll` to mimic a legitimate MS Outlook .dll.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | HermeticWizard has the ability to use `wevtutil cl system` to clear event logs.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | HermeticWizard can use a list of hardcoded credentials in attempt to authenticate to SMB shares.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1106 | Native API | HermeticWizard can connect to remote shares using `WNetAddConnection2W`.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1018 | Remote System Discovery | HermeticWizard can find machines on the local network by gathering known local IP addresses through `DNSGetCacheDataTable`, `GetIpNetTable`,`WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY)`,`NetServerEnum`,`GetTcpTable`, and `GetAdaptersAddresses.`CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | HermeticWizard can use WMI to create a new process on a remote machine via `C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\ |
| Enterprise | T1046 | Network Service Discovery | HermeticWizard has the ability to scan ports on a compromised network.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1570 | Lateral Tool Transfer | HermeticWizard can copy files to other machines on a compromised network.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | HermeticWizard has used `regsvr32.exe /s /i` to execute malicious payloads.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | HermeticWizard can execute files on remote machines using DCOM.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | HermeticWizard has the ability to encrypt PE files with a reverse XOR loop.CitationESET Hermetic Wizard March 2022 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | HermeticWizard has the ability to create a new process using `rundll32`.CitationESET Hermetic Wizard March 2022 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 400d9c11eace… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
ESET Hermetic Wizard March 2022
ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022.
Open source URL -
[2]
mitre-attack S0698Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.