Monokle
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Mobile | T1435 | Access Calendar Entries |
Monokle can retrieve calendar event information including the event name, when and where it is taking place, and the description.[1] |
|
| Mobile | T1433 | Access Call Log | ||
| Mobile | T1432 | Access Contact List | ||
| Mobile | T1438 | Alternate Network Mediums |
Monokle can be controlled via email and SMS from a set of "control phones."[1] |
|
| Mobile | T1418 | Application Discovery | ||
| Mobile | T1616 | Call Control |
Monokle can be controlled via phone call from a set of "control phones."[1] |
|
| Mobile | T1429 | Capture Audio |
Monokle can record audio from the device's microphone and can record phone calls, specifying the output audio quality.[1] |
|
| Mobile | T1512 | Capture Camera | ||
| Mobile | T1533 | Data from Local System |
Monokle can retrieve the salt used when storing the user’s password, aiding an adversary in computing the user’s plaintext password/PIN from the stored password hash. Monokle can also capture the user’s dictionary, user-defined shortcuts, and browser history, enabling profiling of the user and their activities.[1] |
|
| Mobile | T1447 | Delete Device Data |
Monokle can delete arbitrary files on the device, and can also uninstall itself and clean up staging files.[1] |
|
| Mobile | T1446 | Device Lockout | ||
| Mobile | T1617 | Hooking |
Monokle can hook itself to appear invisible to the Process Manager.[1] |
|
| Mobile | T1417 | Input Capture | ||
| Mobile | T1430 | Location Tracking | ||
| Mobile | T1400 | Modify System Partition |
Monokle can remount the system partition as read/write to install attacker-specified certificates.[1] |
|
| Mobile | T1507 | Network Information Discovery |
Monokle can retrieve nearby cell tower and Wi-Fi network information.[1] |
|
| Mobile | T1410 | Network Traffic Capture or Redirection |
Monokle can install attacker-specified certificates to the device's trusted certificate store, enabling an adversary to perform adversary-in-the-middle attacks.[1] |
|
| Mobile | T1406 | Obfuscated Files or Information | ||
| Mobile | T1544 | Remote File Copy | ||
| Mobile | T1513 | Screen Capture |
Monokle can record the screen as the user unlocks the device and can take screenshots of any application in the foreground. Monokle can also abuse accessibility features to read the screen to capture data from a large number of popular applications.[1] |
|
| Mobile | T1426 | System Information Discovery |
Monokle queries the device for metadata such as make, model, and power levels.[1] |
|
| Mobile | T1422 | System Network Configuration Discovery |
Monokle checks if the device is connected via Wi-Fi or mobile data.[1] |
|