Register to stream ATT&CKcon 2.0 October 29-30


Denis is a Windows backdoor and Trojan.[1]

ID: S0354
Platforms: Windows
Version: 1.0

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Denis can launch a remote shell to execute arbitrary commands on the victim’s machine. [1] [2]
Enterprise T1043 Commonly Used Port Denis uses port 53 for C2 communications. [1]
Enterprise T1002 Data Compressed Denis compressed collected data using zlib. [3]
Enterprise T1132 Data Encoding Denis encodes the data sent to the server in Base64. [2]
Enterprise T1140 Deobfuscate/Decode Files or Information Denis will decrypt important strings used for C&C communication. [2]
Enterprise T1073 DLL Side-Loading Denis exploits a security vulnerability to load a fake DLL and execute its code. [1]
Enterprise T1083 File and Directory Discovery Denis has several commands to search directories for files. [1] [2]
Enterprise T1107 File Deletion Denis has a command to delete files from the victim’s machine. [1] [2]
Enterprise T1027 Obfuscated Files or Information Denis obfuscates its code and encrypts the API names. Denis also encodes its payload in Base64. [3] [2]
Enterprise T1055 Process Injection Denis injects its payload into Windows host processes. [2]
Enterprise T1012 Query Registry Denis queries the Registry for keys and values. [2]
Enterprise T1105 Remote File Copy Denis deploys additional backdoors and hacking tools to the system. [2]
Enterprise T1064 Scripting Denis executes shellcode on the victim's machine. [2]
Enterprise T1071 Standard Application Layer Protocol Denis has used DNS tunneling for C2 communications. [1] [3]
Enterprise T1082 System Information Discovery Denis collects OS information and the computer name from the victim’s machine. [3] [2]
Enterprise T1016 System Network Configuration Discovery Denis uses ipconfig to gather the IP address from the system. [2]
Enterprise T1033 System Owner/User Discovery Denis collects the username from the victim’s machine. [3]

Groups That Use This Software

ID Name References
G0050 APT32 [1] [2]