Skip to content

Hide Navigation Hide TOC

Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223)

Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.(Citation: CCCS ArcaneDoor 2024)(Citation: Cisco ArcaneDoor 2024)

Cluster A Galaxy A Cluster B Galaxy B Level
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223) Malware 1
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223) Malware 1
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223) Malware 1
Power Settings - T1653 (ea071aa0-8f17-416f-ab0d-2bab7e79003d) Attack Pattern Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223) Malware 1
Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223) Malware 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223) Malware 1
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223) Malware 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Line Runner - S1188 (5f8c69a5-7acd-4a36-a929-de558d9c8223) Malware 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Lua - T1059.011 (afddee82-3385-4682-ad90-eeced33f2d07) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2