S1014: DanBot
Analyst context for executives and security teams
DanBot matters because ATT&CK describes it as a Windows first-stage remote access Trojan used by HEXANE. Even without MITRE-provided detection text, its related behaviors point to a practical intrusion chain: phishing attachment execution, Windows command/VB activity, scheduled-task persistence, local data collection, remote access via VNC, file cleanup, and web/DNS command-and-control. For leaders, this is a useful test case for whether endpoint, email, network, and identity controls can connect early-stage access to later hands-on activity.
Executive priority
Prioritize this as a readiness and assurance question rather than a single malware signature question. Organizations should ask whether they can prove visibility across Windows endpoints, email-delivered files, scheduled tasks, DNS/web egress, and remote access activity. The HEXANE relationship is especially relevant for risk discussions in oil and gas, telecommunications, aviation, ISP, Middle East, and Africa contexts described by ATT&CK, but local exposure must be validated with internal threat modeling and telemetry.
Technical view
SOC and IR teams should validate coverage around the ATT&CK relationships for DanBot: spearphishing attachments and malicious file execution, Windows command shell and Visual Basic execution, scheduled task creation or modification, encoded/encrypted artifacts and later decoding, suspicious file deletion, local file/data access, ingress tool transfer, VNC use, and HTTP(S)/DNS command-and-control patterns. Because MITRE provides no dedicated detection guidance for this software object, detection engineering should map analytics to these related techniques instead of relying only on malware names or hashes.
Likely telemetry
- Email security and attachment metadata for spearphishing attachment and malicious file execution evidence
- Windows endpoint process creation, command-line, script/VB, and .NET execution telemetry
- Windows Task Scheduler event logs and task registration/change records
- Endpoint file creation, rename, encode/decode, access, and deletion events
- EDR or host telemetry showing local data discovery/access before exfiltration
Detection direction
- Build detections around behavior clusters: email attachment execution followed by command shell or VB activity, scheduled task persistence, and outbound web/DNS traffic from the same Windows host.
- Tune scheduled-task monitoring for newly created, modified, or suspiciously named tasks, while accounting for legitimate administrative and software-update activity.
- Correlate encoded/encrypted file artifacts with subsequent decode/deobfuscation and execution events rather than treating encoding alone as malicious.
- Review VNC use against approved remote administration baselines; investigate new, rare, or externally exposed VNC sessions and connections following suspicious endpoint activity.
- Use DNS and web telemetry for anomaly and reputation-informed review, but avoid assuming all HTTP(S) or DNS traffic is malicious because these protocols are common in enterprise environments.
Mitigation priorities
- Start with phishing resistance and attachment handling controls, including user reporting paths and safe analysis workflows for suspicious files.
- Harden Windows endpoint monitoring and administrative control of script interpreters, command shell use, and scheduled task creation where business operations allow.
- Limit and monitor VNC and other remote access paths to approved systems, users, and network segments.
- Control outbound web and DNS egress through monitored resolvers/proxies so command-and-control-like behavior can be reviewed.
- Apply least-privilege and administrative separation to reduce the value of initial access and limit persistence or lateral movement opportunities.
Analyst notes and limits
This take is based on the ATT&CK S1014 software object, its SecureWorks external reference, and the supplied relationships. The strongest defensive value comes from the relationship-driven technique map rather than from a DanBot-specific detection recipe. The HEXANE relationship provides sector and regional context from ATT&CK, but it should not be treated as proof of current targeting or exposure for any specific organization.
MITRE does not provide official detection text, aliases, labels, or explicit tactics for the DanBot object. Some related techniques are multi-platform, but the supplied DanBot platform is Windows; do not generalize DanBot coverage to other platforms without separate evidence. Local baselines, logging configuration, and approved remote administration practices are required to determine detection quality and false-positive rates.
DanBot
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1053.005 | Scheduled Task Sub-technique | DanBot can use a scheduled task for installation.CitationSecureWorks August 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | DanBot files have been named `UltraVNC.exe` and `WINVNC.exe` to appear as legitimate VNC tools.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1021.005 | VNC Sub-technique | DanBot can use VNC for remote access to targeted systems.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | DanBot can Base64 encode its payload.CitationSecureWorks August 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | DanBot can delete its configuration file after installation.CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | DanBot has relied on victims' opening a malicious file for initial execution.CitationSecureWorks August 2019CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1071.004 | DNS Sub-technique | DanBot can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications.CitationSecureWorks August 2019 |
| Enterprise | T1005 | Data from Local System | DanBot can upload files from compromised hosts.CitationSecureWorks August 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | DanBot can download additional files to a targeted system.CitationSecureWorks August 2019 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | DanBot has been distributed within a malicious Excel attachment via spearphishing emails.CitationSecureWorks August 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | DanBot can use HTTP in C2 communication.CitationSecureWorks August 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | DanBot can use a VBA macro embedded in an Excel file to drop the payload.CitationSecureWorks August 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DanBot has the ability to execute arbitrary commands via `cmd.exe`.CitationSecureWorks August 2019CitationClearSky Siamesekitten August 2021 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | DanBot can use a VBA macro to decode its payload prior to installation and execution.CitationSecureWorks August 2019 |
Groups, software, and campaigns
G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 015ad2df1462… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SecureWorks August 2019
SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
Open source URL -
[2]
mitre-attack S1014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.