Name | Description |
---|---|
Sensocode |
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .002 | Access Token Manipulation: Create Process with Token |
ZxShell has a command called RunAs, which creates a new process as another user or process context.[2] |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols | |
.002 | Application Layer Protocol: File Transfer Protocols | |||
Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
Enterprise | T1136 | .001 | Create Account: Local Account | |
Enterprise | T1543 | .003 | Create or Modify System Process: Windows Service |
ZxShell can create a new service using the service parser function ProcessScCommand.[2] |
Enterprise | T1499 | Endpoint Denial of Service |
ZxShell has a feature to perform SYN flood attack on a host.[1][2] |
|
Enterprise | T1083 | File and Directory Discovery |
ZxShell has a command to open a file manager and explorer on the system.[2] |
|
Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools | |
.004 | Impair Defenses: Disable or Modify System Firewall |
ZxShell can disable the firewall by modifying the registry key |
||
Enterprise | T1070 | .001 | Indicator Removal on Host: Clear Windows Event Logs | |
.004 | Indicator Removal on Host: File Deletion | |||
Enterprise | T1105 | Ingress Tool Transfer |
ZxShell has a command to transfer files from a remote host.[2] |
|
Enterprise | T1056 | .001 | Input Capture: Keylogging |
ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.[1][2] |
.004 | Input Capture: Credential API Hooking |
ZxShell hooks several API functions to spawn system threads.[2] |
||
Enterprise | T1046 | Network Service Scanning | ||
Enterprise | T1057 | Process Discovery |
ZxShell has a command, ps, to obtain a listing of processes on the system.[2] |
|
Enterprise | T1055 | .001 | Process Injection: Dynamic-link Library Injection | |
Enterprise | T1090 | Proxy | ||
Enterprise | T1012 | Query Registry |
ZxShell can query the netsvc group value data located in the svchost group Registry key.[2] |
|
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol | |
.005 | Remote Services: VNC | |||
Enterprise | T1113 | Screen Capture | ||
Enterprise | T1218 | .011 | Signed Binary Proxy Execution: Rundll32 |
ZxShell has used rundll32.exe to execute other DLLs and named pipes.[2] |
Enterprise | T1082 | System Information Discovery |
ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.[2] |
|
Enterprise | T1033 | System Owner/User Discovery |
ZxShell can collect the owner and organization information from the target workstation.[2] |
|
Enterprise | T1007 | System Service Discovery | ||
Enterprise | T1125 | Video Capture |
ID | Name | References |
---|---|---|
G0096 | APT41 | |
G0001 | Axiom | |
G0027 | Threat Group-3390 |