Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .004 | Application Layer Protocol: DNS |
Denis has used DNS tunneling for C2 communications.[1][2][3] |
Enterprise | T1560 | .002 | Archive Collected Data: Archive via Library | |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell | |
.003 | Command and Scripting Interpreter: Windows Command Shell |
Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.[1][3] |
||
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | |
Enterprise | T1140 | Deobfuscate/Decode Files or Information |
Denis will decrypt important strings used for C&C communication.[3] |
|
Enterprise | T1083 | File and Directory Discovery |
Denis has several commands to search directories for files.[1][3] |
|
Enterprise | T1574 | Hijack Execution Flow |
Denis replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.[3] |
|
.002 | DLL Side-Loading |
Denis exploits a security vulnerability to load a fake DLL and execute its code.[1] |
||
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
Denis has a command to delete files from the victim’s machine.[1][3] |
Enterprise | T1105 | Ingress Tool Transfer |
Denis deploys additional backdoors and hacking tools to the system.[3] |
|
Enterprise | T1106 | Native API |
Denis used the |
|
Enterprise | T1027 | Obfuscated Files or Information | ||
.010 | Command Obfuscation | |||
Enterprise | T1055 | .012 | Process Injection: Process Hollowing |
Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.[3] |
Enterprise | T1012 | Query Registry | ||
Enterprise | T1082 | System Information Discovery |
Denis collects OS information and the computer name from the victim’s machine.[2][3] |
|
Enterprise | T1016 | System Network Configuration Discovery |
Denis uses |
|
Enterprise | T1033 | System Owner/User Discovery |
Denis enumerates and collects the username from the victim’s machine.[2][3] |
|
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.[3] |