Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Software
  3. ZxShell

ZxShell

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[1][2]

ID: S0412
Associated Software: Sensocode
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 24 September 2019
Last Modified: 16 April 2025

Associated Software Descriptions

NameDescription
Sensocode

[2]

Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1134.002Access Token Manipulation:Create Process with Token

ZxShell has a command called RunAs, which creates a new process as another user or process context.[2]

EnterpriseT1071.001Application Layer Protocol:Web Protocols

ZxShell has used HTTP for C2 connections.[2]

.002Application Layer Protocol:File Transfer Protocols

ZxShell has used FTP for C2 connections.[2]

EnterpriseT1059.003Command and Scripting Interpreter:Windows Command Shell

ZxShell can launch a reverse command shell.[1][2][3]

EnterpriseT1136.001Create Account:Local Account

ZxShell has a feature to create local user accounts.[2]

EnterpriseT1543.003Create or Modify System Process:Windows Service

ZxShell can create a new service using the service parser function ProcessScCommand.[2]

EnterpriseT1005Data from Local System

ZxShell can transfer files from a compromised host.[2]

EnterpriseT1499Endpoint Denial of Service

ZxShell has a feature to perform SYN flood attack on a host.[1][2]

EnterpriseT1190Exploit Public-Facing Application

ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.[2]

EnterpriseT1083File and Directory Discovery

ZxShell has a command to open a file manager and explorer on the system.[2]

EnterpriseT1562.001Impair Defenses:Disable or Modify Tools

ZxShell can kill AV products' processes.[2]

.004Impair Defenses:Disable or Modify System Firewall

ZxShell can disable the firewall by modifying the registry keyHKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.[2]

EnterpriseT1070.001Indicator Removal:Clear Windows Event Logs

ZxShell has a command to clear system event logs.[2]

.004Indicator Removal:File Deletion

ZxShell can delete files from the system.[1][2]

EnterpriseT1105Ingress Tool Transfer

ZxShell has a command to transfer files from a remote host.[2]

EnterpriseT1056.001Input Capture:Keylogging

ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.[1][2]

.004Input Capture:Credential API Hooking

ZxShell hooks several API functions to spawn system threads.[2]

EnterpriseT1112Modify Registry

ZxShell can create Registry entries to enable services to run.[2]

EnterpriseT1106Native API

ZxShell can leverage native API includingRegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler

EnterpriseT1046Network Service Discovery

ZxShell can launch port scans.[1][2]

EnterpriseT1571Non-Standard Port

ZxShell can use ports 1985 and 1986 in HTTP/S communication.[2]

EnterpriseT1057Process Discovery

ZxShell has a command, ps, to obtain a listing of processes on the system.[2]

EnterpriseT1055.001Process Injection:Dynamic-link Library Injection

ZxShell is injected into a shared SVCHOST process.[2]

EnterpriseT1090Proxy

ZxShell can set up an HTTP or SOCKS proxy.[1][2]

EnterpriseT1012Query Registry

ZxShell can query the netsvc group value data located in the svchost group Registry key.[2]

EnterpriseT1021.001Remote Services:Remote Desktop Protocol

ZxShell has remote desktop functionality.[2]

.005Remote Services:VNC

ZxShell supports functionality for VNC sessions.[2]

EnterpriseT1113Screen Capture

ZxShell can capture screenshots.[1]

EnterpriseT1218.011System Binary Proxy Execution:Rundll32

ZxShell has used rundll32.exe to execute other DLLs and named pipes.[2]

EnterpriseT1082System Information Discovery

ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.[2]

EnterpriseT1033System Owner/User Discovery

ZxShell can collect the owner and organization information from the target workstation.[2]

EnterpriseT1007System Service Discovery

ZxShell can check the services on the system.[2]

EnterpriseT1569.002System Services:Service Execution

ZxShell can create a new service for execution.[2]

EnterpriseT1125Video Capture

ZxShell has a command to perform video device spying.[2]

Groups That Use This Software

References

×
[8]ページ先頭
©2009-2026 Movatter.jp