{"description": "Enterprise techniques used by Crutch, ATT&CK software S0538 (v1.0)", "name": "Crutch (S0538)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Crutch](https://attack.mitre.org/software/S0538) has conducted C2 communications with a Dropbox account using the HTTP API.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[Crutch](https://attack.mitre.org/software/S0538) has used the WinRAR utility to compress and encrypt stolen files.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Crutch](https://attack.mitre.org/software/S0538) can automatically monitor removable drives in a loop and copy interesting files.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[Crutch](https://attack.mitre.org/software/S0538) has automatically exfiltrated stolen files to Dropbox.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1005", "comment": "[Crutch](https://attack.mitre.org/software/S0538) can exfiltrate files from compromised systems.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "[Crutch](https://attack.mitre.org/software/S0538) can monitor removable drives and exfiltrate files matching a given extension list.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[Crutch](https://attack.mitre.org/software/S0538) has staged stolen files in the C:\\AMD\\Temp directory.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Crutch](https://attack.mitre.org/software/S0538) can exfiltrate data over the primary C2 channel (Dropbox HTTP API).(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[Crutch](https://attack.mitre.org/software/S0538) has exfiltrated stolen data to Dropbox.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1008", "comment": "[Crutch](https://attack.mitre.org/software/S0538) has used a hardcoded GitHub repository as a fallback channel.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Crutch](https://attack.mitre.org/software/S0538) can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Crutch](https://attack.mitre.org/software/S0538) has established persistence with a scheduled task impersonating the Outlook item finder.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[Crutch](https://attack.mitre.org/software/S0538) can monitor for removable drives being plugged into the compromised machine.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Crutch](https://attack.mitre.org/software/S0538) has the ability to persist using scheduled tasks.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Crutch](https://attack.mitre.org/software/S0538) can use Dropbox to receive commands and upload stolen data.(Citation: ESET Crutch December 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Crutch", "color": "#66b1ff"}]}