S0532: Lucifer
Analyst context for executives and security teams
Lucifer matters because ATT&CK describes it as Windows malware combining cryptomining with DDoS capability and lateral spread through well-known exploits. For leaders, the practical risk is not just malware cleanup: it can consume compute, degrade services, move across Windows environments, and create incident-response pressure where vulnerability management, endpoint visibility, SMB/WMI controls, and log retention are weak.
Executive priority
Prioritize Lucifer-style behavior as a resilience and control-validation issue for Windows environments. Ask whether critical Windows systems are patched against known remote-service vulnerabilities, whether lateral movement over SMB and WMI is monitored, whether abnormal compute/network consumption would trigger response, and whether Windows event logs are protected from clearing. This object has no official ATT&CK detection guidance, so confidence should come from local telemetry validation, not from assuming named-malware coverage.
Technical view
SOC and IR teams should validate coverage across the related ATT&CK behaviors: discovery of registry, users, processes, system/network configuration, services, and connections; execution via Windows command shell and WMI; persistence through Scheduled Tasks and Registry Run Keys/Startup Folder; lateral movement and transfer via SMB/Windows Admin Shares, exploitation of remote services, and lateral tool transfer; command-and-control using application-layer protocols and symmetric cryptography; defense impairment through Windows event log clearing; and impact patterns consistent with compute hijacking and network DoS. Because the malware object is Windows-scoped and detection text is not provided, detections should be behavior-led and correlated rather than dependent on a single signature.
Likely telemetry
- Windows process creation and command-line telemetry, especially cmd.exe, schtasks, reg, WMI-related execution, discovery commands, and file transfer utilities
- Windows Registry auditing for Run Keys, startup persistence, and registry queries where available
- Scheduled Task creation, modification, and execution events
- WMI activity, including local and remote execution indicators
- SMB and Windows Admin Share access logs, file copy events, and authentication records
Detection direction
- Build detections around sequences: discovery commands followed by tool transfer, SMB/WMI execution, persistence creation, and abnormal compute or network usage.
- Tune for administrative false positives by baselining legitimate WMI, scheduled task, registry, SMB admin share, and service-discovery activity by host role and admin identity.
- Correlate password guessing and failed authentication patterns with subsequent SMB or remote-service access attempts where telemetry exists.
- Validate that event-log clearing is detected quickly and that downstream logging preserves evidence when endpoint logs are deleted.
- Account for software packing and deobfuscation by combining static file signals with runtime behavior, child processes, network activity, and persistence artifacts.
Mitigation priorities
- Maintain a vulnerability-management priority lane for high-risk Windows remote services and externally or broadly reachable internal services.
- Restrict and monitor SMB/Windows Admin Shares and WMI remote execution to approved administrative paths and identities.
- Harden credential controls against password guessing, including account policy, monitoring, and response workflows appropriate to the environment.
- Limit unnecessary lateral movement paths through segmentation and least-privilege administration.
- Control persistence opportunities by monitoring and governing Scheduled Tasks, Registry Run Keys, and startup locations.
Analyst notes and limits
The strongest decision value from this ATT&CK object is the combination of Windows malware, exploitation-enabled spread, discovery-heavy behavior, persistence, lateral movement, command-and-control, compute hijacking, and network DoS-related impact. This supports a control validation exercise across endpoint, identity, network, vulnerability management, and incident response rather than a narrow malware-family lookup.
The supplied ATT&CK object does not provide official detection guidance, aliases, labels, or malware-level tactics. Several related techniques list broader platforms, but the Lucifer malware object itself is scoped to Windows; do not infer Lucifer coverage on other platforms from those relationships alone. Local environment evidence is required to determine exposure, detection coverage, and prioritization.
Lucifer
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1496.001 | Compute Hijacking Sub-technique | Lucifer can use system resources to mine cryptocurrency, dropping XMRig to mine Monero.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1016 | System Network Configuration Discovery | Lucifer can collect the IP address of a compromised host.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1049 | System Network Connections Discovery | Lucifer can identify the IP and port numbers for all remote connections from the compromised host.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Lucifer can decrypt its C2 address upon execution.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1057 | Process Discovery | Lucifer can identify the process that owns remote connections.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Lucifer can persist by setting Registry key values |
| Enterprise | T1105 | Ingress Tool Transfer | |
| Enterprise | T1573.001 | Symmetric Cryptography Sub-technique | Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1033 | System Owner/User Discovery | Lucifer has the ability to identify the username on a compromised host.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1570 | Lateral Tool Transfer | |
| Enterprise | T1497.001 | System Checks Sub-technique | Lucifer can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1027.002 | Software Packing Sub-technique | Lucifer has used UPX packed binaries.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Lucifer has established persistence by creating the following scheduled task |
| Enterprise | T1082 | System Information Discovery | Lucifer can collect the computer name, system architecture, default language, and processor frequency of a compromised host.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1110.001 | Password Guessing Sub-technique | Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1498 | Network Denial of Service | Lucifer can execute TCP, UDP, and HTTP denial of service (DoS) attacks.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Lucifer can issue shell commands to download and execute additional payloads.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1071 | Application Layer Protocol | Lucifer can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1210 | Exploitation of Remote Services | Lucifer can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144).CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | Lucifer can clear and remove event logs.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1046 | Network Service Discovery | Lucifer can scan for open ports including TCP ports 135 and 1433.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | Lucifer can infect victims by brute forcing SMB.CitationUnit 42 Lucifer June 2020 |
| Enterprise | T1012 | Query Registry | Lucifer can check for existing stratum cryptomining information in |
| Enterprise | T1047 | Windows Management Instrumentation | Lucifer can use WMI to log into remote machines for propagation.CitationUnit 42 Lucifer June 2020 |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 13c892239ec1… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Unit 42 Lucifer June 2020
Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020.
Open source URL -
[2]
mitre-attack S0532Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.