Crutch
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1025 | 从可移动介质获取数据 |
Crutch can monitor removable drives and exfiltrate files matching a given extension list.[1] |
|
| Enterprise | T1005 | 从本地系统获取数据 | ||
| Enterprise | T1036 | .004 | 伪装: Masquerade Task or Service |
Crutch has established persistence with a scheduled task impersonating the Outlook item finder.[1] |
| Enterprise | T1574 | .001 | 劫持执行流: DLL Search Order Hijacking |
Crutch can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive.[1] |
| Enterprise | T1008 | 回退信道 |
Crutch has used a hardcoded GitHub repository as a fallback channel.[1] |
|
| Enterprise | T1120 | 外围设备发现 |
Crutch can monitor for removable drives being plugged into the compromised machine.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
Crutch has conducted C2 communications with a Dropbox account using the HTTP API.[1] |
| Enterprise | T1560 | .001 | 归档收集数据: Archive via Utility |
Crutch has used the WinRAR utility to compress and encrypt stolen files.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
Crutch has staged stolen files in the |
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication |
Crutch can use Dropbox to receive commands and upload stolen data.[1] |
| Enterprise | T1119 | 自动化收集 |
Crutch can automatically monitor removable drives in a loop and copy interesting files.[1] |
|
| Enterprise | T1020 | 自动化渗出 |
Crutch has automatically exfiltrated stolen files to Dropbox.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 |
Crutch can exfiltrate data over the primary C2 channel (Dropbox HTTP API).[1] |
|
| Enterprise | T1567 | .002 | 通过网络服务渗出: Exfiltration to Cloud Storage | |
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task | |