| enterprise |
T1560 |
Archive Collected Data |
- |
| enterprise |
T1560.002 |
Archive via Library |
TajMahal has the ability to use the open source libraries XZip/Xunzip and zlib to compress files. |
| enterprise |
T1123 |
Audio Capture |
TajMahal has the ability to capture VoiceIP application audio on an infected host. |
| enterprise |
T1119 |
Automated Collection |
TajMahal has the ability to index and compress files into a send queue for exfiltration. |
| enterprise |
T1020 |
Automated Exfiltration |
TajMahal has the ability to manage an automated queue of egress files and commands sent to its C2. |
| enterprise |
T1115 |
Clipboard Data |
TajMahal has the ability to steal data from the clipboard of an infected host. |
|
|
|
|
| enterprise |
T1005 |
Data from Local System |
TajMahal has the ability to steal documents from the local system including the print spooler queue. |
| enterprise |
T1025 |
Data from Removable Media |
TajMahal has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
TajMahal has the ability to send collected files over its C2. |
| enterprise |
T1083 |
File and Directory Discovery |
TajMahal has the ability to index files from drives, user profiles, and removable drives. |
| enterprise |
T1056 |
Input Capture |
- |
| enterprise |
T1056.001 |
Keylogging |
TajMahal has the ability to capture keystrokes on an infected host. |
| enterprise |
T1112 |
Modify Registry |
TajMahal can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers to enable document stealing. |
| enterprise |
T1027 |
Obfuscated Files or Information |
TajMahal has used an encrypted Virtual File System to store plugins. |
| enterprise |
T1120 |
Peripheral Device Discovery |
TajMahal has the ability to identify connected Apple devices. |
| enterprise |
T1057 |
Process Discovery |
TajMahal has the ability to identify running processes and associated plugins on an infected host. |
| enterprise |
T1055 |
Process Injection |
- |
| enterprise |
T1055.001 |
Dynamic-link Library Injection |
TajMahal has the ability to inject DLLs for malicious plugins into running processes. |
| enterprise |
T1113 |
Screen Capture |
TajMahal has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications. |
| enterprise |
T1129 |
Shared Modules |
TajMahal has the ability to inject the LoadLibrary call template DLL into running processes. |
| enterprise |
T1518 |
Software Discovery |
TajMahal has the ability to identify the Internet Explorer (IE) version on an infected host. |
| enterprise |
T1518.001 |
Security Software Discovery |
TajMahal has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use. |
| enterprise |
T1539 |
Steal Web Session Cookie |
TajMahal has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications. |
| enterprise |
T1082 |
System Information Discovery |
TajMahal has the ability to identify hardware information, the computer name, and OS information on an infected host. |
| enterprise |
T1016 |
System Network Configuration Discovery |
TajMahal has the ability to identify the MAC address on an infected host. |
| enterprise |
T1124 |
System Time Discovery |
TajMahal has the ability to determine local time on a compromised host. |
| enterprise |
T1125 |
Video Capture |
TajMahal has the ability to capture webcam video. |