Denis
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1574 | 劫持执行流 |
Denis replaces the nonexistent Windows DLL "msfte.dll" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe.[2] |
|
| .002 | DLL Side-Loading |
Denis exploits a security vulnerability to load a fake DLL and execute its code.[1] |
||
| Enterprise | T1140 | 反混淆/解码文件或信息 |
Denis will decrypt important strings used for C&C communication.[2] |
|
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell | |
| .003 | 命令与脚本解释器: Windows Command Shell |
Denis can launch a remote shell to execute arbitrary commands on the victim’s machine.[1][2] |
||
| Enterprise | T1071 | .004 | 应用层协议: DNS |
Denis has used DNS tunneling for C2 communications.[1][3][2] |
| Enterprise | T1560 | .002 | 归档收集数据: Archive via Library | |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding | |
| Enterprise | T1083 | 文件和目录发现 |
Denis has several commands to search directories for files.[1][2] |
|
| Enterprise | T1106 | 本机API |
Denis used the |
|
| Enterprise | T1012 | 查询注册表 | ||
| Enterprise | T1027 | 混淆文件或信息 | ||
| .010 | Command Obfuscation | |||
| Enterprise | T1070 | .004 | 移除指标: File Deletion |
Denis has a command to delete files from the victim’s machine.[1][2] |
| Enterprise | T1082 | 系统信息发现 |
Denis collects OS information and the computer name from the victim’s machine.[3][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Denis enumerates and collects the username from the victim’s machine.[3][2] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Denis uses |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Denis ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis.[2] |
| Enterprise | T1105 | 输入工具传输 |
Denis deploys additional backdoors and hacking tools to the system.[2] |
|
| Enterprise | T1055 | .012 | 进程注入: Process Hollowing |
Denis performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext.[2] |