{"description": "Enterprise techniques used by ArcaneDoor, ATT&CK campaign C0046 (v1.0)", "name": "ArcaneDoor (C0046)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.003", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included the use of dedicated, adversary-controlled virtual private servers for command and control.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included the use of OpenConnect VPN Server instances for conducting actions on victim devices.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1557", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included interception of HTTP traffic to victim devices to identify and parse command and control information sent to the device.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) command and control activity was conducted through HTTP.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included collection of packet capture and system configuration information.(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included scripted exfiltration of collected data.(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1037", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) used malicious boot scripts to install the [Line Runner](https://attack.mitre.org/software/S1188) backdoor on victim devices.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included the adversary executing command line interface (CLI) commands.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) involved the use of Base64 obfuscated scripts and commands.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) featured the development and deployment of two unique malware types, [Line Dancer](https://attack.mitre.org/software/S1186) and [Line Runner](https://attack.mitre.org/software/S1188).(Citation: CCCS ArcaneDoor 2024)(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1587.003", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included acquiring digital certificates mimicking patterns associated with Cisco ASA appliances for command and control infrastructure.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included use of existing command and control channels for data exfiltration.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) abused WebVPN traffic to targeted devices to achieve unauthorized remote code execution.(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) used WebVPN sessions commonly associated with Clientless SSLVPN services to communicate to compromised devices.(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) modified the Authentication, Authorization, and Accounting (AAA) function of targeted Cisco ASA appliances to allow the threat actor to bypass normal AAA operations.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.003", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included disabling logging on targeted Cisco ASA appliances.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included multiple instances of file deletion or removal during execution and other adversary actions.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) involved the use of digital certificates on adversary-controlled network infrastructure that mimicked the formatting used by legitimate Cisco ASA appliances.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1556", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included modification of the AAA process to bypass authentication mechanisms.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1040", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included network packet capture and sniffing for data collection in victim environments.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1653", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) involved exploitation of CVE-2024-20353 to force a victim Cisco ASA to reboot, triggering the automated unzipping and execution of the [Line Runner](https://attack.mitre.org/software/S1188) implant.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included injecting code into the AAA and Crash Dump processes on infected Cisco ASA devices.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1014", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included hooking the `processHostScanReply()` function on victim Cisco ASA devices.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) included collection of victim device configuration information.(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1102", "showSubtechniques": true}, {"techniqueID": "T1102.003", "comment": "[ArcaneDoor](https://attack.mitre.org/campaigns/C0046) utilized HTTP command and control traffic where commands are intercepted from HTTP traffic to the device, parsed for appropriate identifiers and commands, and then executed.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ArcaneDoor", "color": "#66b1ff"}]}