S1021: DnsSystem
Analyst context for executives and security teams
DnsSystem matters because it is a Windows .NET DNS backdoor associated in ATT&CK with HEXANE and behaviors that span execution, persistence, discovery, command-and-control, tool transfer, collection, and exfiltration. For leaders, the key issue is not the malware name alone; it is whether DNS traffic, Windows startup persistence, command-shell execution, and local data access are visible enough for the SOC and IR teams to reconstruct an intrusion that may intentionally blend into normal network operations.
Executive priority
Prioritize DnsSystem as a threat-informed validation case for Windows environments where DNS egress, endpoint persistence, and data movement evidence are business-critical. The relationship to HEXANE is relevant for organizations comparing their risk profile to sectors noted in ATT&CK group context, including oil and gas, telecommunications, aviation, and internet service providers, but it should not be treated as proof of exposure. Executives should ask whether DNS is governed as a monitored control plane, whether incident responders can quickly identify which Windows host generated suspicious DNS activity, and whether compliance evidence can show monitoring of persistence, command execution, and exfiltration paths.
Technical view
ATT&CK does not provide a specific detection section for DnsSystem, so defenders should validate coverage through the related techniques: Windows Command Shell, DNS command-and-control, Standard Encoding, Registry Run Keys/Startup Folder, Ingress Tool Transfer, Data from Local System, System Owner/User Discovery, Exfiltration Over C2 Channel, and Malicious File execution. SOC teams should test whether DNS events can be correlated to Windows endpoint process activity, whether registry startup changes are captured, and whether command-shell activity from unusual or newly introduced .NET-based executables is visible. IR teams should be prepared to review DNS queries and responses, local file access, downloaded tools or files, and persistence artifacts together rather than as isolated alerts.
Likely telemetry
- DNS resolver and DNS security logs, including queried domains and requesting internal hosts
- Network flow or proxy evidence showing DNS paths and unusual external resolution behavior
- Windows endpoint process creation telemetry, especially cmd.exe activity and parent-child process relationships
- Windows registry monitoring for Run Keys and startup folder persistence locations
- File creation, download, and execution events for newly introduced tools or malicious files
Detection direction
- Because no official ATT&CK detection guidance is supplied for S1021, treat detections as validation hypotheses requiring local tuning.
- Correlate DNS activity with the originating Windows host and process; DNS-only visibility is often insufficient for confident triage.
- Develop analytics around suspicious DNS command-and-control patterns, but tune carefully because DNS is high-volume and business-critical.
- Monitor Registry Run Keys and startup folders for new or modified entries that launch unfamiliar binaries under user context.
- Review command-shell execution linked to unknown files, newly downloaded tools, or suspicious parent processes.
Mitigation priorities
- Route DNS through approved, logged resolvers and restrict unmanaged direct DNS egress where operationally feasible.
- Ensure Windows endpoint logging captures process creation, registry persistence changes, file execution, and network context needed for incident response.
- Apply application control or execution policy controls to reduce the chance that unapproved .NET executables or malicious files can run.
- Harden and monitor Run Key and startup folder persistence paths, especially for standard user contexts.
- Use security awareness and attachment/file handling controls to reduce malicious file execution risk.
Analyst notes and limits
The strongest decision value is to use DnsSystem as a coverage test for DNS-based backdoor operations on Windows. The ATT&CK relationship set indicates behaviors defenders should validate across execution, persistence, C2, collection, and exfiltration. The HEXANE relationship adds threat-intelligence context, especially for sector and regional risk discussions, but it should be used for prioritization rather than as an assertion of current targeting.
The supplied ATT&CK object has no official detection text, no aliases, and no malware-specific tactics listed. Details such as indicators, infrastructure, payload filenames, exact DNS formats, and prevalence are not included in the provided fields. Local environment telemetry, business DNS patterns, and endpoint coverage are required before making conclusions about detection quality or exposure.
DnsSystem
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1132.001 | Standard Encoding Sub-technique | DnsSystem can Base64 encode data sent to C2.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | DnsSystem can exfiltrate collected data to its C2 server.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | DnsSystem can download files to compromised systems after receiving a command with the string `downloaddd`.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1071.004 | DNS Sub-technique | DnsSystem can direct queries to custom DNS servers and return C2 commands using TXT records.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | DnsSystem can use `cmd.exe` for execution.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | DnsSystem can write itself to the Startup folder to gain persistence.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1033 | System Owner/User Discovery | DnsSystem can use the Windows user name to create a unique identification for infected users and systems.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1005 | Data from Local System | DnsSystem can upload files from infected machines after receiving a command with `uploaddd` in the string.CitationZscaler Lyceum DnsSystem June 2022 |
| Enterprise | T1204.002 | Malicious File Sub-technique | DnsSystem has lured victims into opening macro-enabled Word documents for execution.CitationZscaler Lyceum DnsSystem June 2022 |
Groups, software, and campaigns
G1001: HEXANE
HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.[1][2][3][4]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e357e4eeb9e9… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Zscaler Lyceum DnsSystem June 2022
Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022.
Open source URL -
[2]
mitre-attack S1021Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.