JUST RELEASED: ATT&CK for Industrial Control Systems


Denis is a Windows backdoor and Trojan.[1]

ID: S0354
Platforms: Windows
Version: 1.0
Created: 30 January 2019
Last Modified: 24 April 2019

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.[1][2]

Enterprise T1043 Commonly Used Port

Denis uses port 53 for C2 communications.[1]

Enterprise T1002 Data Compressed

Denis compressed collected data using zlib.[3]

Enterprise T1132 Data Encoding

Denis encodes the data sent to the server in Base64.[2]

Enterprise T1140 Deobfuscate/Decode Files or Information

Denis will decrypt important strings used for C&C communication.[2]

Enterprise T1073 DLL Side-Loading

Denis exploits a security vulnerability to load a fake DLL and execute its code.[1]

Enterprise T1083 File and Directory Discovery

Denis has several commands to search directories for files.[1][2]

Enterprise T1107 File Deletion

Denis has a command to delete files from the victim’s machine.[1][2]

Enterprise T1027 Obfuscated Files or Information

Denis obfuscates its code and encrypts the API names. Denis also encodes its payload in Base64.[3][2]

Enterprise T1055 Process Injection

Denis injects its payload into Windows host processes.[2]

Enterprise T1012 Query Registry

Denis queries the Registry for keys and values.[2]

Enterprise T1105 Remote File Copy

Denis deploys additional backdoors and hacking tools to the system.[2]

Enterprise T1064 Scripting

Denis executes shellcode on the victim's machine.[2]

Enterprise T1071 Standard Application Layer Protocol

Denis has used DNS tunneling for C2 communications.[1][3]

Enterprise T1082 System Information Discovery

Denis collects OS information and the computer name from the victim’s machine.[3][2]

Enterprise T1016 System Network Configuration Discovery

Denis uses ipconfig to gather the IP address from the system.[2]

Enterprise T1033 System Owner/User Discovery

Denis collects the username from the victim’s machine.[3]

Groups That Use This Software

ID Name References
G0050 APT32 [1] [2]