BLUELIGHT
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1555 | .003 | 从密码存储中获取凭证: Credentials from Web Browsers |
BLUELIGHT can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale.[1] |
| Enterprise | T1113 | 屏幕捕获 |
BLUELIGHT has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter.[1] |
|
| Enterprise | T1071 | .001 | 应用层协议: Web Protocols |
BLUELIGHT can use HTTP/S for C2 using the Microsoft Graph API.[1] |
| Enterprise | T1560 | 归档收集数据 | ||
| .003 | Archive via Custom Method | |||
| Enterprise | T1083 | 文件和目录发现 |
BLUELIGHT can enumerate files and collect associated metadata.[1] |
|
| Enterprise | T1027 | .013 | 混淆文件或信息: Encrypted/Encoded File | |
| Enterprise | T1070 | .004 | 移除指标: File Deletion | |
| Enterprise | T1539 | 窃取Web会话Cookie |
BLUELIGHT can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers.[1] |
|
| Enterprise | T1082 | 系统信息发现 |
BLUELIGHT has collected the computer name and OS version from victim machines.[1] |
|
| Enterprise | T1033 | 系统所有者/用户发现 |
BLUELIGHT can collect the username on a compromised host.[1] |
|
| Enterprise | T1124 | 系统时间发现 |
BLUELIGHT can collect the local time on a compromised host.[1] |
|
| Enterprise | T1016 | 系统网络配置发现 |
BLUELIGHT can collect IP information from the victim’s machine.[1] |
|
| Enterprise | T1102 | .002 | 网络服务: Bidirectional Communication | |
| Enterprise | T1497 | .001 | 虚拟化/沙盒规避: System Checks |
BLUELIGHT can check to see if the infected machine has VM tools running.[1] |
| Enterprise | T1518 | .001 | 软件发现: Security Software Discovery |
BLUELIGHT can collect a list of anti-virus products installed on a machine.[1] |
| Enterprise | T1105 | 输入工具传输 | ||
| Enterprise | T1057 | 进程发现 |
BLUELIGHT can collect process filenames and SID authority level.[1] |
|
| Enterprise | T1041 | 通过C2信道渗出 | ||