ZxShell
Associated Software Descriptions
| Name | Description |
|---|---|
| Sensocode |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1090 | 代理 | ||
| Enterprise | T1112 | 修改注册表 |
ZxShell can create Registry entries to enable services to run.[2] |
|
| Enterprise | T1543 | .003 | 创建或修改系统进程: Windows Service |
ZxShell can create a new service using the service parser function ProcessScCommand.[2] |
| Enterprise | T1136 | .001 | 创建账户: Local Account | |
| Enterprise | T1190 | 利用公开应用程序漏洞 |
ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.[2] |
|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell | |
| Enterprise | T1562 | .001 | 妨碍防御: Disable or Modify Tools | |
| .004 | 妨碍防御: Disable or Modify System Firewall |
ZxShell can disable the firewall by modifying the registry key |
||
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| .002 | 应用层协议: File Transfer Protocols | |||
| Enterprise | T1083 | 文件和目录发现 |
ZxShell has a command to open a file manager and explorer on the system.[2] |
|
| Enterprise | T1106 | 本机API |
ZxShell can leverage native API including |
|
| Enterprise | T1012 | 查询注册表 |
ZxShell can query the netsvc group value data located in the svchost group Registry key.[2] |
|
| Enterprise | T1070 | .001 | 移除指标: Clear Windows Event Logs | |
| .004 | 移除指标: File Deletion | |||
| Enterprise | T1218 | .011 | 系统二进制代理执行: Rundll32 |
ZxShell has used rundll32.exe to execute other DLLs and named pipes.[2] |
| Enterprise | T1082 | 系统信息发现 |
ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.[2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
ZxShell can collect the owner and organization information from the target workstation.[2] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution | |
| Enterprise | T1007 | 系统服务发现 | ||
| Enterprise | T1499 | 终端拒绝服务 |
ZxShell has a feature to perform SYN flood attack on a host.[1][2] |
|
| Enterprise | T1046 | 网络服务发现 | ||
| Enterprise | T1125 | 视频捕获 | ||
| Enterprise | T1134 | .002 | 访问令牌操控: Create Process with Token |
ZxShell has a command called RunAs, which creates a new process as another user or process context.[2] |
| Enterprise | T1105 | 输入工具传输 |
ZxShell has a command to transfer files from a remote host.[2] |
|
| Enterprise | T1056 | .001 | 输入捕获: Keylogging |
ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.[1][2] |
| .004 | 输入捕获: Credential API Hooking |
ZxShell hooks several API functions to spawn system threads.[2] |
||
| Enterprise | T1057 | 进程发现 |
ZxShell has a command, ps, to obtain a listing of processes on the system.[2] |
|
| Enterprise | T1055 | .001 | 进程注入: Dynamic-link Library Injection | |
| Enterprise | T1021 | .001 | 远程服务: Remote Desktop Protocol | |
| .005 | 远程服务: VNC | |||
| Enterprise | T1571 | 非标准端口 |
ZxShell can use ports 1985 and 1986 in HTTP/S communication.[2] |
|