Mafalda
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1134 | .003 | Access Token Manipulation: Make and Impersonate Token |
Mafalda can create a token for a different user.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Mafalda can use HTTP for C2.(Citation: SentinelLabs Metador Sept 2022) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
Mafalda can execute PowerShell commands on a compromised machine.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| .003 | Command and Scripting Interpreter: Windows Command Shell |
Mafalda can execute shell commands using `cmd.exe`.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
||
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
Mafalda can encode data using Base64 prior to exfiltration.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
Mafalda can place retrieved files into a destination directory.(Citation: SentinelLabs Metador Sept 2022) |
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
Mafalda can encrypt its C2 traffic with RC4.(Citation: SentinelLabs Metador Sept 2022) |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
Mafalda can delete Windows Event logs by invoking the `OpenEventLogW` and `ClearEventLogW` functions.(Citation: SentinelLabs Metador Sept 2022) |
| Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
Mafalda can dump password hashes from `LSASS.exe`.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
Mafalda has been obfuscated and contains encrypted functions.(Citation: SentinelLabs Metador Sept 2022) |
| Enterprise | T1090 | .001 | Proxy: Internal Proxy |
Mafalda can create a named pipe to listen for and send data to a named pipe-based C2 server.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
Mafalda can search for a variety of security software programs, EDR systems, and malware analysis tools.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1569 | .002 | System Services: Service Execution |
Mafalda can create a remote service, let it run once, and then delete it.(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1205 | .001 | Traffic Signaling: Port Knocking |
Mafalda can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022) |
| Enterprise | T1552 | .004 | Unsecured Credentials: Private Keys |
Mafalda can collect a Chrome encryption key used to protect browser cookies.(Citation: SentinelLabs Metador Sept 2022) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.