{"description": "Enterprise techniques used by Line Runner, ATT&CK software S1188 (v1.0)", "name": "Line Runner (S1188)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1557", "comment": "[Line Runner](https://attack.mitre.org/software/S1188) intercepts HTTP requests to the victim Cisco ASA, looking for a request with a 32-character, victim dependent parameter. If that parameter matches a value in the malware, a contained payload is then written to a Lua script and executed.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Line Runner](https://attack.mitre.org/software/S1188) utilizes an HTTP-based Lua backdoor on victim machines.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.011", "comment": "[Line Runner](https://attack.mitre.org/software/S1188) utilizes Lua scripts for command execution.(Citation: Cisco ArcaneDoor 2024)(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Line Runner](https://attack.mitre.org/software/S1188) utilizes HTTP to retrieve and exfiltrate information staged using [Line Dancer](https://attack.mitre.org/software/S1186).(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Line Runner](https://attack.mitre.org/software/S1188) removes its initial ZIP delivery archive after processing the enclosed LUA script.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[Line Runner](https://attack.mitre.org/software/S1188) uses a ZIP payload that is automatically extracted with its contents, a LUA script, executed for initial execution via CVE-2024-20359.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1653", "comment": "[Line Runner](https://attack.mitre.org/software/S1188) used CVE-2024-20353 to trigger victim devices to reboot, in the process unzipping and installing the [Line Dancer](https://attack.mitre.org/software/S1186) payload.(Citation: Cisco ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "[Line Runner](https://attack.mitre.org/software/S1188) is a persistent Lua-based web shell.(Citation: CCCS ArcaneDoor 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Line Runner", "color": "#66b1ff"}]}