{"description": "Enterprise techniques used by TajMahal, ATT&CK software S0467 (v1.0)", "name": "TajMahal (S0467)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to use the open source libraries XZip/Xunzip and zlib to compress files.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to capture VoiceIP application audio on an infected host.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to index and compress files into a send queue for exfiltration.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to manage an automated queue of egress files and commands sent to its C2.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal data from the clipboard of an infected host.(Citation: Kaspersky TajMahal April 2019)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal documents from the local system including the print spooler queue.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to send collected files over its C2.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to index files from drives, user profiles, and removable drives.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to capture keystrokes on an infected host.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers to enable document stealing.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has used an encrypted Virtual File System to store plugins.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify connected Apple devices.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify running processes and associated plugins on an infected host.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to inject DLLs for malicious plugins into running processes.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1129", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to inject the LoadLibrary call template DLL into running processes.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify the Internet Explorer (IE) version on an infected host.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1539", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify hardware information, the computer name, and OS information on an infected host.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to identify the MAC address on an infected host.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to determine local time on a compromised host.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1125", "comment": "[TajMahal](https://attack.mitre.org/software/S0467) has the ability to capture webcam video.(Citation: Kaspersky TajMahal April 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TajMahal", "color": "#66b1ff"}]}