SLIGHTPULSE
SLIGHTPULSE is a web shell that was used by APT5 as early as 2020 including against Pulse Secure VPNs at US Defense Industrial Base (DIB) entities.[1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
SLIGHTPULSE has the ability to process HTTP GET requests as a normal web server and to insert logic that will read or write files or execute commands in response to HTTP POST requests.[1] |
| Enterprise | T1059 | Command and Scripting Interpreter |
SLIGHTPULSE contains functionality to execute arbitrary commands passed to it.[1] |
|
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
SLIGHTPULSE can base64 encode all incoming and outgoing C2 messages.[1] |
| Enterprise | T1005 | Data from Local System |
SLIGHTPULSE can read files specified on the local system.[1] |
|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
SLIGHTPULSE has piped the output from executed commands to |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information |
SLIGHTPULSE can deobfuscate base64 encoded and RC4 encrypted C2 messages.[1] |
|
| Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
SLIGHTPULSE can RC4 encrypt all incoming and outgoing C2 messages.[1] |
| Enterprise | T1105 | Ingress Tool Transfer |
RAPIDPULSE can transfer files to and from compromised hosts.[2] |
|
| Enterprise | T1505 | .003 | Server Software Component: Web Shell |
SLIGHTPULSE is a web shell that can read, write, and execute files on compromised servers.[1] |