{"description": "Enterprise techniques used by Sakula, ATT&CK software S0074 (v1.2)", "name": "Sakula (S0074)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[Sakula](https://attack.mitre.org/software/S0074) contains UAC bypass code for both 32- and 64-bit systems.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Sakula](https://attack.mitre.org/software/S0074) uses HTTP for C2.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "Most [Sakula](https://attack.mitre.org/software/S0074) samples maintain persistence by setting the Registry Run key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Sakula](https://attack.mitre.org/software/S0074) calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. [Sakula](https://attack.mitre.org/software/S0074) also has the capability to invoke a reverse shell.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "Some [Sakula](https://attack.mitre.org/software/S0074) samples install themselves as services for persistence by calling WinExec with the net start argument.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Sakula](https://attack.mitre.org/software/S0074) encodes C2 traffic with single-byte XOR keys.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Sakula](https://attack.mitre.org/software/S0074) uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "Some [Sakula](https://attack.mitre.org/software/S0074) samples use cmd.exe to delete temporary files.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Sakula](https://attack.mitre.org/software/S0074) has the capability to download files.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Sakula](https://attack.mitre.org/software/S0074) uses single-byte XOR obfuscation to obfuscate many of its files.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Sakula](https://attack.mitre.org/software/S0074) calls cmd.exe to run various DLL files via rundll32.(Citation: Dell Sakula)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Sakula", "color": "#66b1ff"}]}