{"description": "Enterprise techniques used by LightSpy, ATT&CK software S1185 (v1.0)", "name": "LightSpy (S1185)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[LightSpy](https://attack.mitre.org/software/S1185)'s C2 communication is performed over WebSockets using the open source library SocketRocket with functionality such as, heartbeat, receiving commands, and updating command status.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1123", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) uses Apple's built-in AVFoundation Framework library to capture and manage audio recordings then transform them to JSON blobs for exfiltration.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1217", "comment": "To collect data on the host's Wi-Fi connection history, [LightSpy](https://attack.mitre.org/software/S1185) reads the `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist` file. It also utilizes Apple's `CWWiFiClient` API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.001", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) performs an in-memory keychain query via `SecItemCopyMatching()` then formats the retrieved data as a JSON blob for exfiltration.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "On macOS, [LightSpy](https://attack.mitre.org/software/S1185) checks the existence of a process identification number (PID) file, `/Users/Shared/irc.pid`, to verify if [LightSpy](https://attack.mitre.org/software/S1185) is currently running.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "To exfiltrate data, [LightSpy](https://attack.mitre.org/software/S1185) configures each module to send an obfuscated JSON blob to hardcoded URL endpoints or paths aligned to the module name.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) uses the `NSFileManager` to move, create and delete files. [LightSpy](https://attack.mitre.org/software/S1185) can also use the assembly `bt` instruction to determine a file's executable permissions.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "On macOS, [LightSpy](https://attack.mitre.org/software/S1185) downloads a `.json` file from the C2 server. The `.json` file contains metadata about the plugins to be downloaded, including their URL, name, version, and MD5 hash. [LightSpy](https://attack.mitre.org/software/S1185) retrieves the plugins specified in the `.json` file, which are compiled `.dylib` files. These `.dylib` files provide task and platform specific functionality. [LightSpy](https://attack.mitre.org/software/S1185) also imports open-source libraries to manage socket connections.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "To collect data on the host's Wi-Fi connection history, [LightSpy](https://attack.mitre.org/software/S1185) reads the `/Library/Preferences/SystemConfiguration/com.apple.airport.preferences.plist file`.It also utilizes Apple's CWWiFiClient API to scan for nearby Wi-Fi networks and obtain data on the SSID, security type, and RSSI (signal strength) values.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.001", "comment": "[LightSpy](https://attack.mitre.org/software/S1185)'s configuration file is appended to the end of the binary. For example, the last `0x1d0` bytes of one sample is an AES encrypted configuration file with a static key of `3e2717e8b3873b29`.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) encrypts the C2 configuration file using AES with a static key, while the module `.dylib` files use a rolling one-byte encoding for obfuscation.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "If sent the command `16002`, [LightSpy](https://attack.mitre.org/software/S1185) uses the `NSWorkspace runningApplications()` method to collect the process ID, path to the executable, bundle information, and the filename of the executable for all running applications.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[LightSpy](https://attack.mitre.org/software/S1185) uses Apple's built-in AVFoundation Framework library to access the user's camera and screen. It uses the `AVCaptureStillImage` to take a picture using the user's camera and the `AVCaptureScreen` to take a screenshot or record the user's screen for a specified period of time.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1129", "comment": "[LightSpy](https://attack.mitre.org/software/S1185)'s main executable and module `.dylib` binaries are loaded using a combination of `dlopen()` to load the library, `_objc_getClass()` to retrieve the class definition, and `_objec_msgSend()` to invoke/execute the specified method in the loaded class.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "comment": "If sent the command `16001`, [LightSpy](https://attack.mitre.org/software/S1185) uses the `NSFileManger contentsOfDirectoryAtPath()` to enumerate the Applications folder to collect the bundle name, bundle identifier, and version information from each application's `info.plist` file. The results are then converted into a JSON blob for exfiltration.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[LightSpy](https://attack.mitre.org/software/S1185)'s second stage implant uses the `DeviceInformation` class to collect system information, including CPU usage, battery statistics, memory allocations, screen size, etc.(Citation: Huntress LightSpy macOS 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by LightSpy", "color": "#66b1ff"}]}