{"description": "Enterprise techniques used by LunarMail, ATT&CK software S1142 (v1.0)", "name": "LunarMail (S1142)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.003", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can communicates with C2 using email messages via the Outlook Messaging API (MAPI).(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) has been installed using a VBA macro.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can create an arbitrary process with a specified command line and redirect its output to a staging directory.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "showSubtechniques": true}, {"techniqueID": "T1001.002", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can parse IDAT chunks from .png files to look for zlib-compressed and AES encrypted C2 commands.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can create a directory in `%TEMP%\\` to stage data prior to exfilration.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can decrypt strings to retrieve configuration settings.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can capture the recipients of sent email messages from compromised accounts.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can use email image attachments with embedded data for receiving C2 commands and data exfiltration.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can search its staging directory for output files it has produced.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can delete the previously used staging directory and files on subsequent rounds of exfiltration and replace it with a new one.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.008", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can set the `PR_DELETE_AFTER_SUBMIT` flag to delete messages sent for data exfiltration.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1095", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can ping a specific C2 URL with the ID of a victim machine in the subdomain.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) has used RC4 and AES to encrypt strings and its exfiltration configuration respectively.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "showSubtechniques": true}, {"techniqueID": "T1137.006", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) has the ability to use Outlook add-ins for persistence.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can capture screenshots from compromised hosts.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) can capture environmental variables on compromised hosts.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[LunarMail](https://attack.mitre.org/software/S1142) has been installed through a malicious macro in a Microsoft Word document.(Citation: ESET Turla Lunar toolset May 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LunarMail", "color": "#66b1ff"}]}