SLIGHTPULSE
SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1005 | 从本地系统获取数据 |
SLIGHTPULSE can read files specified on the local system.[1] |
|
| Enterprise | T1573 | .001 | 加密通道: Symmetric Cryptography |
SLIGHTPULSE can RC4 encrypt all incoming and outgoing C2 messages.[1] |
| Enterprise | T1140 | 反混淆/解码文件或信息 |
SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages.[1] |
|
| Enterprise | T1059 | 命令与脚本解释器 |
SLIGHTPULSE contains functionality to execute arbitrary commands passed to it.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
SLIGHTPULSE has the ability to process HTTP GET requests as a normal web server and to insert logic that will read or write files or execute commands in response to HTTP POST requests.[1] |
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
SLIGHTPULSE has piped the output from executed commands to |
| Enterprise | T1132 | .001 | 数据编码: Standard Encoding |
SLIGHTPULSE can base64 encode all incoming and outgoing C2 messages.[1] |
| Enterprise | T1505 | .003 | 服务器软件组件: Web Shell |
SLIGHTPULSE is a web shell that can read, write, and execute files on compromised servers.[1] |
| Enterprise | T1105 | 输入工具传输 |
RAPIDPULSE can transfer files to and from compromised hosts.[2] |
|