Skip to content

S0350 zwShell

zwShell is a remote access tool (RAT) written in Delphi that has been seen in the wild since the spring of 2010 and used by threat actors during Night Dragon.1

Item Value
ID S0350
Associated Names
Version 2.0
Created 30 January 2019
Last Modified 22 September 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell zwShell can launch command-line shells.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service zwShell has established persistence by adding itself as a new service.1
enterprise T1083 File and Directory Discovery zwShell can browse the file system.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion zwShell has deleted itself after creating a service as well as deleted a temporary file when the system reboots.1
enterprise T1112 Modify Registry zwShell can modify the Registry.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol zwShell has used RDP for lateral movement.1
enterprise T1021.002 SMB/Windows Admin Shares zwShell has been copied over network shares to move laterally.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task zwShell has used SchTasks for execution.1
enterprise T1082 System Information Discovery zwShell can obtain the victim PC name and OS version.1
enterprise T1016 System Network Configuration Discovery zwShell can obtain the victim IP address.1
enterprise T1033 System Owner/User Discovery zwShell can obtain the name of the logged-in user on the victim.1