BLUELIGHT
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Enterprise | T1560 | .003 | Archive Collected Data: Archive via Custom Method |
BLUELIGHT has encoded data into a binary blob using XOR.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Enterprise | T1070 | .004 | Indicator Removal: File Deletion |
BLUELIGHT can uninstall itself.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
BLUELIGHT has a XOR-encoded payload.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Enterprise | T1518 | .001 | Software Discovery: Security Software Discovery |
BLUELIGHT can collect a list of anti-virus products installed on a machine.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Enterprise | T1497 | .001 | Virtualization/Sandbox Evasion: System Checks |
BLUELIGHT can check to see if the infected machine has VM tools running.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Enterprise | T1102 | .002 | Web Service: Bidirectional Communication |
BLUELIGHT can use different cloud providers for its C2.(Citation: Volexity InkySquid BLUELIGHT August 2021) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.