{"description": "Enterprise techniques used by Lucifer, ATT&CK software S0532 (v1.1)", "name": "Lucifer (S0532)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can persist by setting Registry key values HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic and HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.001", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and    passwords.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can issue shell commands to download and execute additional payloads.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can decrypt its C2 address upon execution.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1210", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144).(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.001", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can clear and remove event logs.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can download and execute a replica of itself using [certutil](https://attack.mitre.org/software/S0160).(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1570", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can use [certutil](https://attack.mitre.org/software/S0160) for propagation on Windows hosts within intranets.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1498", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can execute TCP, UDP,  and HTTP denial of service (DoS) attacks.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can scan for open ports including TCP ports 135 and 1433.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) has used UPX packed binaries.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can identify the process that owns remote connections.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1012", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can check for existing stratum cryptomining information in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr \u2013 %stratum info%.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can infect victims by brute forcing SMB.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1496", "showSubtechniques": true}, {"techniqueID": "T1496.001", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) has established persistence by creating the following scheduled task schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\\%USERPROFILE%\\Downloads\\spread.exe /F.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can collect the computer name, system architecture, default language, and processor frequency of a compromised host.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can collect the IP address of a compromised host.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can identify the IP and port numbers for all remote connections from the compromised host.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) has the ability to identify the username on a compromised host.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Lucifer](https://attack.mitre.org/software/S0532) can use WMI to log into remote machines for propagation.(Citation: Unit 42 Lucifer June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Lucifer", "color": "#66b1ff"}]}