Mafalda
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
Mafalda can collect files and information from a compromised host.[1] |
|
| Enterprise | T1090 | .001 | 代理: Internal Proxy |
Mafalda can create a named pipe to listen for and send data to a named pipe-based C2 server.[2] |
| Enterprise | T1112 | 修改注册表 |
Mafalda can manipulate the system registry on a compromised host.[2] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography | |
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
Mafalda can execute PowerShell commands on a compromised machine.[2] |
| .003 | 命令与脚本解释器: Windows Command Shell | |||
| Enterprise | T1133 | 外部远程服务 |
Mafalda can establish an SSH connection from a compromised host to a server.[2] |
|
| Enterprise | T1113 | 屏幕捕获 |
Mafalda can take a screenshot of the target machine and save it to a file.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols | |
| Enterprise | T1003 | .001 | 操作系统凭证转储: LSASS Memory | |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Mafalda can place retrieved files into a destination directory.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Mafalda can encode data using Base64 prior to exfiltration.[2] |
| Enterprise | T1083 | 文件和目录发现 | ||
| Enterprise | T1552 | .004 | 未加密凭证: Private Keys |
Mafalda can collect a Chrome encryption key used to protect browser cookies.[1] |
| Enterprise | T1106 | 本机API | ||
| Enterprise | T1012 | 查询注册表 |
Mafalda can enumerate Registry keys with all subkeys and values.[2] |
|
| Enterprise | T1205 | .001 | 流量激活: Port Knocking |
Mafalda can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.[1][2] |
| Enterprise | T1217 | 浏览器信息发现 |
Mafalda can collect the contents of the |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File |
Mafalda has been obfuscated and contains encrypted functions.[1] |
| Enterprise | T1070 | .001 | 移除指标: Clear Windows Event Logs |
Mafalda can delete Windows Event logs by invoking the |
| Enterprise | T1082 | 系统信息发现 |
Mafalda can collect the computer name and enumerate all drives on a compromised host.[1][2] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Mafalda can collect the username from a compromised host.[2] |
|
| Enterprise | T1569 | .002 | 系统服务: Service Execution |
Mafalda can create a remote service, let it run once, and then delete it.[2] |
| Enterprise | T1049 | 系统网络连接发现 |
Mafalda can use the |
|
| Enterprise | T1016 | 系统网络配置发现 |
Mafalda can use the |
|
| Enterprise | T1134 | 访问令牌操控 |
Mafalda can use |
|
| .003 | Make and Impersonate Token | |||
| Enterprise | T1622 | 调试器规避 |
Mafalda can search for debugging tools on a compromised host.[2] |
|
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
Mafalda can search for a variety of security software programs, EDR systems, and malware analysis tools.[1][2] |
| Enterprise | T1105 | 输入工具传输 |
Mafalda can download additional files onto the compromised host.[2] |
|
| Enterprise | T1056 | 输入捕获 | ||
| Enterprise | T1057 | 进程发现 | ||
| Enterprise | T1041 | 通过C2信道渗出 |
Mafalda can send network system data and files to its C2 server.[1] |
|
| Enterprise | T1095 | 非应用层协议 | ||