| Name | Description |
|---|---|
| Sensocode |
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | .002 | Access Token Manipulation:Create Process with Token | ZxShell has a command called RunAs, which creates a new process as another user or process context.[2] |
| Enterprise | T1071 | .001 | Application Layer Protocol:Web Protocols | |
| .002 | Application Layer Protocol:File Transfer Protocols | |||
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | |
| Enterprise | T1136 | .001 | Create Account:Local Account | |
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | ZxShell can create a new service using the service parser function ProcessScCommand.[2] |
| Enterprise | T1005 | Data from Local System | ||
| Enterprise | T1499 | Endpoint Denial of Service | ZxShell has a feature to perform SYN flood attack on a host.[1][2] | |
| Enterprise | T1190 | Exploit Public-Facing Application | ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.[2] | |
| Enterprise | T1083 | File and Directory Discovery | ZxShell has a command to open a file manager and explorer on the system.[2] | |
| Enterprise | T1562 | .001 | Impair Defenses:Disable or Modify Tools | |
| .004 | Impair Defenses:Disable or Modify System Firewall | ZxShell can disable the firewall by modifying the registry key | ||
| Enterprise | T1070 | .001 | Indicator Removal:Clear Windows Event Logs | |
| .004 | Indicator Removal:File Deletion | |||
| Enterprise | T1105 | Ingress Tool Transfer | ZxShell has a command to transfer files from a remote host.[2] | |
| Enterprise | T1056 | .001 | Input Capture:Keylogging | ZxShell has a feature to capture a remote computer's keystrokes using a keylogger.[1][2] |
| .004 | Input Capture:Credential API Hooking | ZxShell hooks several API functions to spawn system threads.[2] | ||
| Enterprise | T1112 | Modify Registry | ZxShell can create Registry entries to enable services to run.[2] | |
| Enterprise | T1106 | Native API | ZxShell can leverage native API including | |
| Enterprise | T1046 | Network Service Discovery | ||
| Enterprise | T1571 | Non-Standard Port | ZxShell can use ports 1985 and 1986 in HTTP/S communication.[2] | |
| Enterprise | T1057 | Process Discovery | ZxShell has a command, ps, to obtain a listing of processes on the system.[2] | |
| Enterprise | T1055 | .001 | Process Injection:Dynamic-link Library Injection | |
| Enterprise | T1090 | Proxy | ||
| Enterprise | T1012 | Query Registry | ZxShell can query the netsvc group value data located in the svchost group Registry key.[2] | |
| Enterprise | T1021 | .001 | Remote Services:Remote Desktop Protocol | |
| .005 | Remote Services:VNC | |||
| Enterprise | T1113 | Screen Capture | ||
| Enterprise | T1218 | .011 | System Binary Proxy Execution:Rundll32 | ZxShell has used rundll32.exe to execute other DLLs and named pipes.[2] |
| Enterprise | T1082 | System Information Discovery | ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.[2] | |
| Enterprise | T1033 | System Owner/User Discovery | ZxShell can collect the owner and organization information from the target workstation.[2] | |
| Enterprise | T1007 | System Service Discovery | ||
| Enterprise | T1569 | .002 | System Services:Service Execution | |
| Enterprise | T1125 | Video Capture | ||