| enterprise |
T1071 |
Application Layer Protocol |
- |
| enterprise |
T1071.003 |
Mail Protocols |
LightNeuron uses SMTP for C2. |
| enterprise |
T1560 |
Archive Collected Data |
LightNeuron contains a function to encrypt and store emails that it collects. |
| enterprise |
T1119 |
Automated Collection |
LightNeuron can be configured to automatically collect files under a specified directory. |
| enterprise |
T1020 |
Automated Exfiltration |
LightNeuron can be configured to automatically exfiltrate files under a specified directory. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.003 |
Windows Command Shell |
LightNeuron is capable of executing commands via cmd.exe. |
| enterprise |
T1005 |
Data from Local System |
LightNeuron can collect files from a local system. |
| enterprise |
T1565 |
Data Manipulation |
- |
| enterprise |
T1565.002 |
Transmitted Data Manipulation |
LightNeuron is capable of modifying email content, headers, and attachments during transit. |
| enterprise |
T1001 |
Data Obfuscation |
- |
| enterprise |
T1001.002 |
Steganography |
LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods. |
| enterprise |
T1074 |
Data Staged |
- |
| enterprise |
T1074.001 |
Local Data Staging |
LightNeuron can store email data in files and directories specified in its configuration, such as C:\Windows\ServiceProfiles\NetworkService\appdata\Local\Temp\. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
LightNeuron has used AES and XOR to decrypt configuration files and commands. |
| enterprise |
T1114 |
Email Collection |
- |
| enterprise |
T1114.002 |
Remote Email Collection |
LightNeuron collects Exchange emails matching rules specified in its configuration. |
| enterprise |
T1573 |
Encrypted Channel |
- |
| enterprise |
T1573.001 |
Symmetric Cryptography |
LightNeuron uses AES to encrypt C2 traffic. |
| enterprise |
T1041 |
Exfiltration Over C2 Channel |
LightNeuron exfiltrates data over its email C2 channel. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.004 |
File Deletion |
LightNeuron has a function to delete files. |
| enterprise |
T1105 |
Ingress Tool Transfer |
LightNeuron has the ability to download and execute additional files. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.005 |
Match Legitimate Name or Location |
LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat. |
| enterprise |
T1106 |
Native API |
LightNeuron is capable of starting a process using CreateProcess. |
| enterprise |
T1027 |
Obfuscated Files or Information |
LightNeuron encrypts its configuration files with AES-256. |
| enterprise |
T1029 |
Scheduled Transfer |
LightNeuron can be configured to exfiltrate data during nighttime or working hours. |
| enterprise |
T1505 |
Server Software Component |
- |
| enterprise |
T1505.002 |
Transport Agent |
LightNeuron has used a malicious Microsoft Exchange transport agent for persistence. |
| enterprise |
T1082 |
System Information Discovery |
LightNeuron gathers the victim computer name using the Win32 API call GetComputerName. |
| enterprise |
T1016 |
System Network Configuration Discovery |
LightNeuron gathers information about network adapters using the Win32 API call GetAdaptersInfo. |