{"description": "Enterprise techniques used by LightNeuron, ATT&CK software S0395 (v1.2)", "name": "LightNeuron (S0395)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) uses SMTP for C2.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) contains a function to encrypt and store emails that it collects.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1119", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) can be configured to automatically collect files under a specified directory.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) can be configured to automatically exfiltrate files under a specified directory.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) is capable of executing commands via cmd.exe.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) can collect files from a local system.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1565", "showSubtechniques": true}, {"techniqueID": "T1565.002", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) is capable of modifying email content, headers, and attachments during transit.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.002", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) can store email data in files and directories specified in its configuration, such as C:\\Windows\\ServiceProfiles\\NetworkService\\appdata\\Local\\Temp\\.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) has used AES and XOR to decrypt configuration files and commands.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.002", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) collects Exchange emails matching rules specified in its configuration.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) uses AES to encrypt C2 traffic.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) exfiltrates data over its email C2 channel.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) has a function to delete files.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) has the ability to download and execute additional files.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) is capable of starting a process using CreateProcess.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) encrypts its configuration files with AES-256.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1029", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) can be configured to exfiltrate data during nighttime or working hours.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.002", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) has used a malicious Microsoft Exchange transport agent for persistence.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) gathers the victim computer name using the Win32 API call GetComputerName.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[LightNeuron](https://attack.mitre.org/software/S0395) gathers information about network adapters using the Win32 API call GetAdaptersInfo.(Citation: ESET LightNeuron May 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LightNeuron", "color": "#66b1ff"}]}