{"description": "Enterprise techniques used by CHOPSTICK, ATT&CK software S0023 (v2.3)", "name": "CHOPSTICK (S0023)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "Various implementations of [CHOPSTICK](https://attack.mitre.org/software/S0023) communicate with C2 over HTTP.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "Various implementations of [CHOPSTICK](https://attack.mitre.org/software/S0023) communicate with C2 over SMTP and POP3.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is capable of performing remote command execution.(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1092", "comment": "Part of [APT28](https://attack.mitre.org/groups/G0007)'s operation involved using [CHOPSTICK](https://attack.mitre.org/software/S0023) modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic.(Citation: FireEye APT28)(Citation: ESET Sednit Part 2)(Citation: Microsoft SIR Vol 19)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "showSubtechniques": true}, {"techniqueID": "T1568.002", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) can use a DGA for [Fallback Channels](https://attack.mitre.org/techniques/T1008), domains are generated by concatenating words from lists.(Citation: ESET Sednit 2017 Activity)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) encrypts C2 communications with RC4.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) encrypts C2 communications with TLS.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) can switch to a new C2 channel if the current one is broken.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "An older version of [CHOPSTICK](https://attack.mitre.org/software/S0023) has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is capable of performing remote file transmission.(Citation: Crowdstrike DNC June 2016)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) is capable of performing keylogging.(Citation: Crowdstrike DNC June 2016)(Citation: ESET Sednit Part 2)(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) may modify Registry keys to store RC4 encrypted configuration information.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) may store RC4 encrypted configuration information in the Windows Registry.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) used a proxy server between victims and the C2 server.(Citation: ESET Sednit Part 2)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) provides access to the Windows Registry, which can be used to gather information.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1091", "comment": "Part of [APT28](https://attack.mitre.org/groups/G0007)'s operation involved using [CHOPSTICK](https://attack.mitre.org/software/S0023) modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic.(Citation: FireEye APT28)(Citation: Microsoft SIR Vol 19)(Citation: Secureworks IRON TWILIGHT Active Measures March 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) has the capability to capture screenshots.(Citation: DOJ GRU Indictment Jul 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023) checks for antivirus and forensics software.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "comment": "[CHOPSTICK](https://attack.mitre.org/software/S0023)  includes runtime checks to identify an analysis environment and prevent execution on it.(Citation: FireEye APT28)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CHOPSTICK", "color": "#66b1ff"}]}