LIGHTWIRE - S1119 (5dc9e8ec-9917-4de7-b8ab-16007899dd80)

LIGHTWIRE is a web shell written in Perl that was used during Cutting Edge to maintain access and enable command execution by imbedding into the legitimate compcheckresult.cgi component of Ivanti Secure Connect VPNs.(Citation: Mandiant Cutting Edge Part 2 January 2024)(Citation: Mandiant Cutting Edge January 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	LIGHTWIRE - S1119 (5dc9e8ec-9917-4de7-b8ab-16007899dd80)	Malware	1
Compromise Host Software Binary - T1554 (960c3c86-1480-4d72-b4e0-8c242e84a5c5)	Attack Pattern	LIGHTWIRE - S1119 (5dc9e8ec-9917-4de7-b8ab-16007899dd80)	Malware	1
LIGHTWIRE - S1119 (5dc9e8ec-9917-4de7-b8ab-16007899dd80)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	1
LIGHTWIRE - S1119 (5dc9e8ec-9917-4de7-b8ab-16007899dd80)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
LIGHTWIRE - S1119 (5dc9e8ec-9917-4de7-b8ab-16007899dd80)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2