Manjusaka
Manjusaka is a Chinese-language intrusion framework, similar to Sliver and Cobalt Strike, with an ELF binary written in GoLang as the controller for Windows and Linux implants written in Rust. First identified in 2022, Manjusaka consists of multiple components, only one of which (a command and control module) is freely available.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | 从密码存储中获取凭证 |
Manjusaka extracts credentials from the Windows Registry associated with Premiumsoft Navicat, a utility used to facilitate access to various database types.[1] |
|
| .003 | Credentials from Web Browsers |
Manjusaka gathers credentials from Chromium-based browsers.[1] |
||
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Manjusaka can execute arbitrary commands passed to it from the C2 controller via |
| Enterprise | T1113 | 屏幕捕获 | ||
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Manjusaka has used HTTP for command and control communication.[1] |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
Manjusaka communication includes a client-created session cookie with base64-encoded information representing information from the victim system.[1] |
| Enterprise | T1083 | 文件和目录发现 |
Manjusaka can gather information about specific files on the victim system.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
Manjusaka performs basic system profiling actions to fingerprint and register the victim system with the C2 controller.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Manjusaka gathers information about current network connections, local and remote addresses associated with them, and associated processes.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Manjusaka data exfiltration takes place over HTTP channels.[1] |
|