The sub-techniques beta is now live! Read the release blog post for more info.


ZxShell is a remote administration tool and backdoor that can be downloaded from the Internet, particularly from Chinese hacker websites. It has been used since at least 2004.[1][2]

ID: S0412
Associated Software: Sensocode
Platforms: Windows
Version: 1.0
Created: 24 September 2019
Last Modified: 14 October 2019

Associated Software Descriptions

Name Description
Sensocode [2]

Techniques Used

Domain ID Name Use
Enterprise T1134 Access Token Manipulation

ZxShell has a command called RunAs, which creates a new process as another user or process context. [2]

Enterprise T1059 Command-Line Interface

ZxShell can launch a reverse command shell.[1][2][3]

Enterprise T1043 Commonly Used Port

ZxShell uses common ports such as 80 and 443 for C2.[2]

Enterprise T1090 Connection Proxy

ZxShell can set up an HTTP or SOCKS proxy. [1][2]

Enterprise T1136 Create Account

ZxShell has a feature to create local user accounts.[2]

Enterprise T1089 Disabling Security Tools

ZxShell can disable the firewall by modifying the registry key HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile and killing AV products' processes. [2]

Enterprise T1499 Endpoint Denial of Service

ZxShell has a feature to perform SYN flood attack on a host. [1][2]

Enterprise T1083 File and Directory Discovery

ZxShell has a command to open a file manager and explorer on the system. [2]

Enterprise T1107 File Deletion

ZxShell can delete files from the system. [1][2]

Enterprise T1179 Hooking

ZxShell hooks several API functions to spawn system threads. [2]

Enterprise T1070 Indicator Removal on Host

ZxShell has a command to clear system event logs. [2]

Enterprise T1056 Input Capture

ZxShell has a feature to capture a remote computer's keystrokes using a keylogger. [1][2]

Enterprise T1046 Network Service Scanning

ZxShell can launch port scans. [1][2]

Enterprise T1050 New Service

ZxShell can create a new service using the service parser function ProcessScCommand. [2]

Enterprise T1057 Process Discovery

ZxShell has a command, ps, to obtain a listing of processes on the system. [2]

Enterprise T1055 Process Injection

ZxShell is injected into a shared SVCHOST process. [2]

Enterprise T1012 Query Registry

ZxShell can query the netsvc group value data located in the svchost group Registry key. [2]

Enterprise T1076 Remote Desktop Protocol

ZxShell has remote desktop functionality. [2]

Enterprise T1105 Remote File Copy

ZxShell has a command to transfer files from a remote host. [2]

Enterprise T1021 Remote Services

ZxShell supports functionality for VNC sessions. [2]

Enterprise T1085 Rundll32

ZxShell has used rundll32.exe to execute other DLLs and named pipes. [2]

Enterprise T1113 Screen Capture

ZxShell can capture screenshots.[1]

Enterprise T1071 Standard Application Layer Protocol

ZxShell has used HTTP and FTP for connections. [2]

Enterprise T1082 System Information Discovery

ZxShell can collect the local hostname, operating system details, CPU speed, and total physical memory. [2]

Enterprise T1033 System Owner/User Discovery

ZxShell can collect the owner and organization information from the target workstation. [2]

Enterprise T1007 System Service Discovery

ZxShell can check the services on the system. [2]

Enterprise T1065 Uncommonly Used Port

ZxShell uses ports 1985 and 1986 for communication. [2]

Enterprise T1125 Video Capture

ZxShell has a command to perform video device spying. [2]

Groups That Use This Software

ID Name References
G0096 APT41 [1]
G0001 Axiom [2]
G0027 Threat Group-3390 [3]