{"description": "Enterprise techniques used by Valak, ATT&CK software S0476 (v1.3)", "name": "Valak (S0476)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to enumerate local admin accounts.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to enumerate domain admin accounts.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Valak](https://attack.mitre.org/software/S0476) has used HTTP in communications with C2.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Valak](https://attack.mitre.org/software/S0476) can download a module to search for and build a report of harvested credential data.(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Valak](https://attack.mitre.org/software/S0476) has used PowerShell to download additional modules.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Valak](https://attack.mitre.org/software/S0476) can execute JavaScript containing configuration data for establishing persistence.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.004", "comment": "[Valak](https://attack.mitre.org/software/S0476) can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Valak](https://attack.mitre.org/software/S0476) has returned C2 data as encoded ASCII.(Citation: Unit 42 Valak July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to decode and decrypt downloaded files.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.002", "comment": "[Valak](https://attack.mitre.org/software/S0476) can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to exfiltrate data over the C2 channel.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "[Valak](https://attack.mitre.org/software/S0476) can communicate over multiple C2 hosts.(Citation: Unit 42 Valak July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.004", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability save and execute files as alternate data streams (ADS).(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Valak](https://attack.mitre.org/software/S0476) has downloaded a variety of modules and payloads to the compromised host, including [IcedID](https://attack.mitre.org/software/S0483) and NetSupport Manager RAT-based malware.(Citation: Unit 42 Valak July 2020)(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "[Valak](https://attack.mitre.org/software/S0476) can execute tasks via OLE.(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to modify the Registry key HKCU\\Software\\ApplicationContainer\\Appsw64 to store information regarding the C2 server and downloads.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1104", "comment": "[Valak](https://attack.mitre.org/software/S0476) can download additional modules and malware capable of using separate C2 channels.(Citation: Unit 42 Valak July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to base64 encode and XOR encrypt strings.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Valak](https://attack.mitre.org/software/S0476) has used packed DLL payloads.(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to store information regarding the C2 server and downloads in the Registry key HKCU\\Software\\ApplicationContainer\\Appsw64.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Valak](https://attack.mitre.org/software/S0476) has been delivered via spearphishing e-mails with password protected ZIP files.(Citation: Unit 42 Valak July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "[Valak](https://attack.mitre.org/software/S0476) has been delivered via malicious links in e-mail.(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to enumerate running processes on a compromised host.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Valak](https://attack.mitre.org/software/S0476) can use the Registry for code updates and to collect credentials.(Citation: Unit 42 Valak July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Valak](https://attack.mitre.org/software/S0476) has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to take screenshots on a compromised host.(Citation: Cybereason Valak May 2020)\t ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Valak](https://attack.mitre.org/software/S0476) can determine if a compromised host has security products installed.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.010", "comment": "[Valak](https://attack.mitre.org/software/S0476) has used regsvr32.exe to launch malicious DLLs.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Valak](https://attack.mitre.org/software/S0476) can determine the Windows version and computer name on a compromised host.(Citation: Cybereason Valak May 2020)(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Valak](https://attack.mitre.org/software/S0476) has the ability to identify the domain and the MAC and IP addresses of an infected machine.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Valak](https://attack.mitre.org/software/S0476) can gather information regarding the user.(Citation: Cybereason Valak May 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.002", "comment": "[Valak](https://attack.mitre.org/software/S0476) can use the clientgrabber module to steal e-mail credentials from the Registry.(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Valak](https://attack.mitre.org/software/S0476) has been executed via Microsoft Word documents containing malicious macros.(Citation: Cybereason Valak May 2020)(Citation: Unit 42 Valak July 2020)(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Valak](https://attack.mitre.org/software/S0476) can use wmic process call create in a scheduled task to launch plugins and for execution.(Citation: SentinelOne Valak June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Valak", "color": "#66b1ff"}]}