{"description": "Enterprise techniques used by Mongall, ATT&CK software S1026 (v1.0)", "name": "Mongall (S1026)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can use HTTP for C2 communication.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can establish persistence with the auto start function including using the value `EverNoteTrayUService`.(Citation: SentinelOne Aoqin Dragon June 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can use Base64 to encode information sent to its C2.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Mongall](https://attack.mitre.org/software/S1026) has the ability to upload files from victim's machines.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Mongall](https://attack.mitre.org/software/S1026) has the ability to decrypt its payload prior to execution.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Mongall](https://attack.mitre.org/software/S1026) has the ability to RC4 encrypt C2 communications.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can upload files and information from a compromised host to its C2 server.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can download files to targeted systems.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Mongall](https://attack.mitre.org/software/S1026) has been packed with Themida.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can identify removable media attached to compromised hosts.(Citation: SentinelOne Aoqin Dragon June 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can inject a DLL into `rundll32.exe` for execution.(Citation: SentinelOne Aoqin Dragon June 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can use `rundll32.exe` for execution.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Mongall](https://attack.mitre.org/software/S1026) can identify drives on compromised hosts and retrieve the hostname via `gethostbyname`.(Citation: SentinelOne Aoqin Dragon June 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Mongall](https://attack.mitre.org/software/S1026) has relied on a user opening a malicious document for execution.(Citation: SentinelOne Aoqin Dragon June 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Mongall", "color": "#66b1ff"}]}