{"description": "Enterprise techniques used by Mafalda, ATT&CK software S1060 (v1.1)", "name": "Mafalda (S1060)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1134", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can use `AdjustTokenPrivileges()` to elevate privileges.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1134.003", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can create a token for a different user.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can use HTTP for C2.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can collect the contents of the `%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data\\LocalState` file.(Citation: SentinelLabs Metador Sept 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can execute PowerShell commands on a compromised machine.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can execute shell commands using `cmd.exe`.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can encode data using Base64 prior to exfiltration.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can collect files and information from a compromised host.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can place retrieved files into a destination directory.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1622", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can search for debugging tools on a compromised host.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can decrypt files and data.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can encrypt its C2 traffic with RC4.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can send network system data and files to its C2 server.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can establish an SSH connection from a compromised host to a server.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can search for files and directories.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can delete Windows Event logs by invoking the `OpenEventLogW` and `ClearEventLogW` functions.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can download additional files onto the compromised host.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can conduct mouse event logging.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can manipulate the system registry on a compromised host.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can use a variety of API calls.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can use raw TCP for C2.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) has been obfuscated and contains encrypted functions.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can dump password hashes from `LSASS.exe`.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can enumerate running processes on a machine.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can create a named pipe to listen for and send data to a named pipe-based C2 server.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can enumerate Registry keys with all subkeys and values.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can take a screenshot of the target machine and save it to a file.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can search for a variety of security software programs, EDR systems, and malware analysis tools.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can collect the computer name and enumerate all drives on a compromised host.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can use the `GetAdaptersInfo` function to retrieve information about network adapters and the `GetIpNetTable` function to retrieve the IPv4 to physical network address mapping table.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can use the GetExtendedTcpTable function to retrieve information about established TCP connections.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can collect the username from a compromised host.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can create a remote service, let it run once, and then delete it.(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1205", "showSubtechniques": true}, {"techniqueID": "T1205.001", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can use port-knocking to authenticate itself to another implant called Cryshell to establish an indirect connection to the C2 server.(Citation: SentinelLabs Metador Sept 2022)(Citation: SentinelLabs Metador Technical Appendix Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Mafalda](https://attack.mitre.org/software/S1060) can collect a Chrome encryption key used to protect browser cookies.(Citation: SentinelLabs Metador Sept 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Mafalda", "color": "#66b1ff"}]}