{"description": "Enterprise techniques used by ZxShell, ATT&CK software S0412 (v1.2)", "name": "ZxShell (S0412)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.002", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a command called RunAs, which creates a new process as another user or process context.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has used HTTP for C2 connections.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has used FTP for C2 connections.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can launch a reverse command shell.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014)(Citation: Secureworks BRONZEUNION Feb 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a feature to create local user accounts.(Citation: Talos ZxShell Oct 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can create a new service using the service parser function ProcessScCommand.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can transfer files from a compromised host.(Citation: Talos ZxShell Oct 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1499", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a feature to perform SYN flood attack on a host.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.(Citation: Talos ZxShell Oct 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a command to open a file manager and explorer on the system.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can kill AV products' processes.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can disable the firewall by modifying the registry key HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a command to clear system event logs.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can delete files from the system.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a command to transfer files from a remote host.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a feature to capture a remote computer's keystrokes using a keylogger.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) hooks several API functions to spawn system threads.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can create Registry entries to enable services to run.(Citation: Talos ZxShell Oct 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can leverage native API including RegisterServiceCtrlHandler  to register a service.RegisterServiceCtrlHandler ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can launch port scans.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can use ports 1985 and 1986 in HTTP/S communication.(Citation: Talos ZxShell Oct 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a command, ps, to obtain a listing of processes on the system.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) is injected into a shared SVCHOST process.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can set up an HTTP or SOCKS proxy.(Citation: FireEye APT41 Aug 2019)(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can query the netsvc group value data located in the svchost group Registry key.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has remote desktop functionality.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.005", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) supports functionality for VNC sessions.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can capture screenshots.(Citation: FireEye APT41 Aug 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has used rundll32.exe to execute other DLLs and named pipes.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can collect the local hostname, operating system details, CPU speed, and total physical memory.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can collect the owner and organization information from the target workstation.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can check the services on the system.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) can create a new service for execution.(Citation: Talos ZxShell Oct 2014)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1125", "comment": "[ZxShell](https://attack.mitre.org/software/S0412) has a command to perform video device spying.(Citation: Talos ZxShell Oct 2014) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ZxShell", "color": "#66b1ff"}]}