{"description": "Enterprise techniques used by Denis, ATT&CK software S0354 (v1.2)", "name": "Denis (S0354)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.004", "comment": "[Denis](https://attack.mitre.org/software/S0354) has used DNS tunneling for C2 communications.(Citation: Cybereason Oceanlotus May 2017)(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[Denis](https://attack.mitre.org/software/S0354) compressed collected data using zlib.(Citation: Securelist Denis April 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Denis](https://attack.mitre.org/software/S0354) has a version written in PowerShell.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Denis](https://attack.mitre.org/software/S0354) can launch a remote shell to execute arbitrary commands on the victim\u2019s machine.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Denis](https://attack.mitre.org/software/S0354) encodes the data sent to the server in Base64.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Denis](https://attack.mitre.org/software/S0354) will decrypt important strings used for C&C communication.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Denis](https://attack.mitre.org/software/S0354) has several commands to search directories for files.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "comment": "[Denis](https://attack.mitre.org/software/S0354) replaces the nonexistent Windows DLL \"msfte.dll\" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Denis](https://attack.mitre.org/software/S0354) exploits a security vulnerability to load a fake DLL and execute its code.(Citation: Cybereason Oceanlotus May 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Denis](https://attack.mitre.org/software/S0354) has a command to delete files from the victim\u2019s machine.(Citation: Cybereason Oceanlotus May 2017)(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Denis](https://attack.mitre.org/software/S0354) deploys additional backdoors and hacking tools to the system.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Denis](https://attack.mitre.org/software/S0354) used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. [Denis](https://attack.mitre.org/software/S0354) used GetProcAddress and LoadLibrary to dynamically resolve APIs. [Denis](https://attack.mitre.org/software/S0354) also used the Wow64SetThreadContext API as part of a process hollowing process.(Citation: Cybereason Cobalt Kitty 2017)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Denis](https://attack.mitre.org/software/S0354) obfuscates its code and encrypts the API names.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Denis](https://attack.mitre.org/software/S0354) has encoded its PowerShell commands in Base64.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.012", "comment": "[Denis](https://attack.mitre.org/software/S0354) performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Denis](https://attack.mitre.org/software/S0354) queries the Registry for keys and values.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Denis](https://attack.mitre.org/software/S0354) collects OS information and the computer name from the victim\u2019s machine.(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Denis](https://attack.mitre.org/software/S0354) uses ipconfig to gather the IP address from the system.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Denis](https://attack.mitre.org/software/S0354) enumerates and collects the username from the victim\u2019s machine.(Citation: Securelist Denis April 2017)(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Denis](https://attack.mitre.org/software/S0354) ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.(Citation: Cybereason Cobalt Kitty 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Denis", "color": "#66b1ff"}]}