Skip to content

S0412 ZxShell

ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.21

Item Value
ID S0412
Associated Names Sensocode
Version 1.2
Created 24 September 2019
Last Modified 23 March 2023
Navigation Layer View In ATT&CK® Navigator

Associated Software Descriptions

Name Description
Sensocode 1

Techniques Used

Domain ID Name Use
enterprise T1134 Access Token Manipulation -
enterprise T1134.002 Create Process with Token ZxShell has a command called RunAs, which creates a new process as another user or process context.1
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols ZxShell has used HTTP for C2 connections.1
enterprise T1071.002 File Transfer Protocols ZxShell has used FTP for C2 connections.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell ZxShell can launch a reverse command shell.213
enterprise T1136 Create Account -
enterprise T1136.001 Local Account ZxShell has a feature to create local user accounts.1
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service ZxShell can create a new service using the service parser function ProcessScCommand.1
enterprise T1005 Data from Local System ZxShell can transfer files from a compromised host.1
enterprise T1499 Endpoint Denial of Service ZxShell has a feature to perform SYN flood attack on a host.21
enterprise T1190 Exploit Public-Facing Application ZxShell has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322.1
enterprise T1083 File and Directory Discovery ZxShell has a command to open a file manager and explorer on the system.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools ZxShell can kill AV products’ processes.1
enterprise T1562.004 Disable or Modify System Firewall ZxShell can disable the firewall by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile.1
enterprise T1070 Indicator Removal -
enterprise T1070.001 Clear Windows Event Logs ZxShell has a command to clear system event logs.1
enterprise T1070.004 File Deletion ZxShell can delete files from the system.21
enterprise T1105 Ingress Tool Transfer ZxShell has a command to transfer files from a remote host.1
enterprise T1056 Input Capture -
enterprise T1056.001 Keylogging ZxShell has a feature to capture a remote computer’s keystrokes using a keylogger.21
enterprise T1056.004 Credential API Hooking ZxShell hooks several API functions to spawn system threads.1
enterprise T1112 Modify Registry ZxShell can create Registry entries to enable services to run.1
enterprise T1106 Native API ZxShell can leverage native API including RegisterServiceCtrlHandler to register a service.RegisterServiceCtrlHandler
enterprise T1046 Network Service Discovery ZxShell can launch port scans.21
enterprise T1571 Non-Standard Port ZxShell can use ports 1985 and 1986 in HTTP/S communication.1
enterprise T1057 Process Discovery ZxShell has a command, ps, to obtain a listing of processes on the system.1
enterprise T1055 Process Injection -
enterprise T1055.001 Dynamic-link Library Injection ZxShell is injected into a shared SVCHOST process.1
enterprise T1090 Proxy ZxShell can set up an HTTP or SOCKS proxy.21
enterprise T1012 Query Registry ZxShell can query the netsvc group value data located in the svchost group Registry key.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol ZxShell has remote desktop functionality.1
enterprise T1021.005 VNC ZxShell supports functionality for VNC sessions.1
enterprise T1113 Screen Capture ZxShell can capture screenshots.2
enterprise T1218 System Binary Proxy Execution -
enterprise T1218.011 Rundll32 ZxShell has used rundll32.exe to execute other DLLs and named pipes.1
enterprise T1082 System Information Discovery ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory.1
enterprise T1033 System Owner/User Discovery ZxShell can collect the owner and organization information from the target workstation.1
enterprise T1007 System Service Discovery ZxShell can check the services on the system.1
enterprise T1569 System Services -
enterprise T1569.002 Service Execution ZxShell can create a new service for execution.1
enterprise T1125 Video Capture ZxShell has a command to perform video device spying.1

Groups That Use This Software

ID Name References
G0096 APT41 2
G0001 Axiom 14
G0027 Threat Group-3390 3