{"description": "Enterprise techniques used by CHIMNEYSWEEP, ATT&CK software S1149 (v1.0)", "name": "CHIMNEYSWEEP (S1149)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can make use of the Windows `SilentCleanup` scheduled task to execute its payload with elevated privileges.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can send `HTTP GET` requests to\u202f C2.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1115", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can capture content from the clipboard.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can invoke the PowerShell command             `[Reflection.Assembly]::LoadFile(\\\"%s\\\")\\n$i=\\\"\\\"\\n$r=[%s]::%s(\\\"%s\\\",[ref] $i)\\necho $r,$i\\n` to execute secondary payloads.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) has executed a script named cln.vbs on compromised hosts.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.002", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use a custom Base64 alphabet for encoding C2.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can collect files from compromised hosts.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can store captured screenshots to disk including to a covert store named `APPX.%x%x%x%x%x.tmp` where `%x` is a random value.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use an embedded RC4 key to decrypt Windows API function strings.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1480", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can execute a task which leads to execution if it finds a process name containing \u201ccreensaver.\u201d(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149)  can upload collected files to the command-and-control server.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) has the ability to enumerate directories for files that match a set list.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.006", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can time stomp its executable, previously dating it between 2010 to 2021.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can download additional files from C2.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) has the ability to support keylogging.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use the Windows Registry Environment key to change the `%windir%` variable to point to `c:\\Windows` to enable payload execution.(Citation: Mandiant ROADSWEEP August 2022)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use Windows APIs including `LoadLibrary` and `GetProcAddress`.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use a custom Base64 alphabet to encode an API decryption key.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "The [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) installer has been padded with null bytes to inflate its size.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.007", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use `LoadLibrary` and `GetProcAddress` to resolve Windows API function strings at run time.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.009", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can extract RC4 encrypted embedded payloads for privilege escalation.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can monitor for removable drives.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can check if a process name contains \u201ccreensaver.\u201d(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use the Windows `SilentCleanup` scheduled task to enable payload execution.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can capture screenshots on targeted systems using a timer and either upload them or store them to disk.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) is capable of checking whether a compromised device is running DeepFreeze by Faronics.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) has been dropped by a self-extracting archive signed with a valid digital certificate.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.003", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use CMSTP.exe to install a malicious Microsoft Connection Manager Profile.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) has included the victim's computer name and username in C2 messages sent to actor-owned infrastructure.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1529", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can reboot or shutdown the targeted system or logoff the current user.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "comment": "[CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) has the ability to use use Telegram channels to return a list of commands to be executed, to download additional payloads, or to create a reverse shell.(Citation: Mandiant ROADSWEEP August 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by CHIMNEYSWEEP", "color": "#66b1ff"}]}