CHIMNEYSWEEP
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1548 | .002 | Abuse Elevation Control Mechanism: Bypass User Account Control |
CHIMNEYSWEEP can make use of the Windows `SilentCleanup` scheduled task to execute its payload with elevated privileges.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
CHIMNEYSWEEP can send `HTTP GET` requests to C2.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
CHIMNEYSWEEP can invoke the PowerShell command `[Reflection.Assembly]::LoadFile(\"%s\")\n$i=\"\"\n$r=[%s]::%s(\"%s\",[ref] $i)\necho $r,$i\n` to execute secondary payloads.(Citation: Mandiant ROADSWEEP August 2022) |
| .005 | Command and Scripting Interpreter: Visual Basic |
CHIMNEYSWEEP has executed a script named cln.vbs on compromised hosts.(Citation: Mandiant ROADSWEEP August 2022) |
||
| Enterprise | T1132 | .002 | Data Encoding: Non-Standard Encoding |
CHIMNEYSWEEP can use a custom Base64 alphabet for encoding C2.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
CHIMNEYSWEEP can store captured screenshots to disk including to a covert store named `APPX.%x%x%x%x%x.tmp` where `%x` is a random value.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1070 | .006 | Indicator Removal: Timestomp |
CHIMNEYSWEEP can time stomp its executable, previously dating it between 2010 to 2021.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1056 | .001 | Input Capture: Keylogging |
CHIMNEYSWEEP has the ability to support keylogging.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1027 | .001 | Obfuscated Files or Information: Binary Padding |
The CHIMNEYSWEEP installer has been padded with null bytes to inflate its size.(Citation: Mandiant ROADSWEEP August 2022) |
| .007 | Obfuscated Files or Information: Dynamic API Resolution |
CHIMNEYSWEEP can use `LoadLibrary` and `GetProcAddress` to resolve Windows API function strings at run time.(Citation: Mandiant ROADSWEEP August 2022) |
||
| .009 | Obfuscated Files or Information: Embedded Payloads |
CHIMNEYSWEEP can extract RC4 encrypted embedded payloads for privilege escalation.(Citation: Mandiant ROADSWEEP August 2022) |
||
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
CHIMNEYSWEEP can use the Windows `SilentCleanup` scheduled task to enable payload execution.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
CHIMNEYSWEEP is capable of checking whether a compromised device is running DeepFreeze by Faronics.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1553 | .002 | Subvert Trust Controls: Code Signing |
CHIMNEYSWEEP has been dropped by a self-extracting archive signed with a valid digital certificate.(Citation: Mandiant ROADSWEEP August 2022) |
| Enterprise | T1218 | .003 | System Binary Proxy Execution: CMSTP |
CHIMNEYSWEEP can use CMSTP.exe to install a malicious Microsoft Connection Manager Profile.(Citation: Mandiant ROADSWEEP August 2022) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.