{"description": "Enterprise techniques used by LunarWeb, ATT&CK software S1141 (v1.0)", "name": "LunarWeb (S1141)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can use `POST` to send victim identification to C2 and `GET` to retrieve commands.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can create a ZIP archive with specified files and directories.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560.002", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can zlib-compress data prior to exfiltration.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) has the ability to run shell commands via PowerShell.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can run shell commands using a BAT file with a name matching `%TEMP%\\<\u2060random_9_alnum_chars>.batfile` or through cmd.exe with the `/c` and `/U` option for Unicode output.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1132", "showSubtechniques": true}, {"techniqueID": "T1132.001", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can use Base64 encoding to obfuscate C2 commands.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.002", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can receive C2 commands hidden in the structure of .jpg and .gif images.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1030", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can split exfiltrated data that exceeds 1.33 MB in size into multiple random sized parts between 384 and 512 KB.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1140", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can decrypt strings related to communication configuration using RC4 with a static key.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.001", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can send AES encrypted C2 commands.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can send short C2 commands, up to 512 bytes, encrypted with RSA-4096.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) has the ability to retrieve directory listings.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1615", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can capture information on group policy settings(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can self-delete from a compromised host if safety checks of C2 connectivity fail.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1559", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can retrieve output from arbitrary processes and shell commands via a pipe.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1104", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can use one C2 URL for first contact and to upload information about the host computer and two additional C2 URLs for getting commands.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can identify shared resources in compromised environments.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "The [LunarWeb](https://attack.mitre.org/software/S1141) install files have been encrypted with AES-256.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can discover local group memberships.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) has used shell commands to list running processes.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1572", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can run a custom binary protocol under HTTPS for C2.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) has the ability to use a HTTP proxy server for C&C communications.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can list installed software on compromised systems.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) has run shell commands to obtain a list of installed security products.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can use WMI queries and shell commands such as systeminfo.exe to collect the operating system, BIOS version, and domain name of the targeted system.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can use shell commands to discover network adapters and configuration.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can enumerate system network connections.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can collect user information from the targeted host.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.003", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can pause for a number of hours before entering its C2 communication loop.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[LunarWeb](https://attack.mitre.org/software/S1141) can use WMI queries for discovery on the victim host.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LunarWeb", "color": "#66b1ff"}]}