Lucifer
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1047 | Windows管理规范 |
Lucifer can use WMI to log into remote machines for propagation.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 | ||
| Enterprise | T1547 | .001 | 启动或登录自动启动执行: Registry Run Keys / Startup Folder |
Lucifer can persist by setting Registry key values |
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Lucifer can issue shell commands to download and execute additional payloads.[1] |
| Enterprise | T1071 | 应用层协议 |
Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.[1] |
|
| Enterprise | T1110 | .001 | 暴力破解: Password Guessing |
Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords.[1] |
| Enterprise | T1012 | 查询注册表 |
Lucifer can check for existing stratum cryptomining information in |
|
| Enterprise | T1570 | 横向工具传输 |
Lucifer can use certutil for propagation on Windows hosts within intranets.[1] |
|
| Enterprise | T1027 | .002 | 混淆文件或信息: Software Packing | |
| Enterprise | T1070 | .001 | 移除指标: Clear Windows Event Logs | |
| Enterprise | T1082 | 系统信息发现 |
Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
Lucifer has the ability to identify the username on a compromised host.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
Lucifer can identify the IP and port numbers for all remote connections from the compromised host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
Lucifer can collect the IP address of a compromised host.[1] |
|
| Enterprise | T1498 | 网络拒绝服务 |
Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks.[1] |
|
| Enterprise | T1046 | 网络服务发现 |
Lucifer can scan for open ports including TCP ports 135 and 1433.[1] |
|
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.[1] |
| Enterprise | T1496 | .001 | 资源劫持: Compute Hijacking |
Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.[1] |
| Enterprise | T1105 | 输入工具传输 |
Lucifer can download and execute a replica of itself using certutil.[1] |
|
| Enterprise | T1057 | 进程发现 |
Lucifer can identify the process that owns remote connections.[1] |
|
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares | |
| Enterprise | T1210 | 远程服务漏洞利用 |
Lucifer can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144).[1] |
|
| Enterprise | T1053 | .005 | 预定任务/作业: Scheduled Task |
Lucifer has established persistence by creating the following scheduled task |