{"description": "Enterprise techniques used by Chaes, ATT&CK software S0631 (v1.1)", "name": "Chaes (S0631)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used HTTP for C2 communications.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has added persistence via the Registry key software\\microsoft\\windows\\currentversion\\run\\microsoft windows html help.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1185", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used [cmd](https://attack.mitre.org/software/S0106) to execute tasks on the system.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used VBscript to execute malicious code.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used Python scripts for execution and the installation of additional files.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.007", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.003", "comment": "[Chaes](https://attack.mitre.org/software/S0631) can steal login credentials and stored financial information from the browser.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used Base64 to encode C2 communications.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has decrypted an AES encrypted binary file to trigger the download of other files.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used encryption for its C2 channel.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used search order hijacking to load a malicious DLL.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Chaes](https://attack.mitre.org/software/S0631) can download additional files onto an infected machine.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has a module to perform any API hooking it desires.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Chaes](https://attack.mitre.org/software/S0631) can modify Registry values to stored information and establish persistence.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Chaes](https://attack.mitre.org/software/S0631) used the CreateFileW() API function with read permissions to access downloaded payloads.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "Some versions of [Chaes](https://attack.mitre.org/software/S0631) stored its instructions (otherwise in a `instructions.ini` file) in the Registry.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has been delivered by sending victims a phishing email containing a malicious .docx file.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Chaes](https://attack.mitre.org/software/S0631) can capture screenshots of the infected machine.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used a script that extracts the web session cookie and sends it to the C2 server.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.004", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used Installutill to download content.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.007", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has used .MSI files as an initial way to start the infection chain.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has collected system information, including the machine name and OS version.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Chaes](https://attack.mitre.org/software/S0631) has collected the username and UID from the infected machine.(Citation: Cybereason Chaes Nov 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1221", "comment": "[Chaes](https://attack.mitre.org/software/S0631) changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Chaes](https://attack.mitre.org/software/S0631) requires the user to click on the malicious Word document to execute the next part of the attack.(Citation: Cybereason Chaes Nov 2020) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Chaes", "color": "#66b1ff"}]}