S1188: Line Runner
Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.[1][2]
Analyst context for executives and security teams
Line Runner matters because it is described by ATT&CK as a persistent backdoor and web shell for network devices, capable of uploading and executing arbitrary Lua scripts. For leaders, the key risk is not just malware on an endpoint; it is persistence on perimeter infrastructure where visibility, logging, patch control, and incident response access are often weaker than on servers or workstations. Its association with the ArcaneDoor campaign raises the priority for organizations that depend on VPNs, firewalls, and other network devices for secure remote access and operational continuity.
Executive priority
Treat this as a perimeter-device resilience issue. Security leaders should ask whether network devices are in the same governance scope as endpoints and servers: inventory, supported versions, configuration backup, centralized logging, incident response procedures, and evidence for compliance. Because the related campaign context references government and critical infrastructure networks and networking devices from Cisco and other vendors, organizations in those environments should prioritize validation of perimeter telemetry and response readiness without assuming exposure solely from the ATT&CK entry.
Technical view
ATT&CK does not provide a dedicated detection section for Line Runner, so defenders should build validation around the behaviors linked by relationships: web shell persistence, Lua script execution, web-protocol command and control, exfiltration over an existing C2 channel, compression, file deletion, adversary-in-the-middle behavior, and power-setting changes. SOC and IR teams should confirm whether network devices generate and forward enough administrative, web, file, process/script, configuration, and network-flow evidence to investigate these behaviors. Detection engineering should focus on abnormal management-plane access, unexpected script upload or execution, unusual HTTP/S patterns to or from network devices, suspicious file creation/deletion, and configuration or uptime/power-state changes that do not align with approved operations.
Likely telemetry
- Network device management and authentication logs
- Web server or management interface access logs from network devices
- Configuration change logs and configuration backups
- Network flow, proxy, firewall, and DNS telemetry involving perimeter devices
- Evidence of script upload or Lua execution where supported by the device
Detection direction
- Validate that perimeter network devices are onboarded to centralized logging and that logs are retained long enough for campaign-scale investigations.
- Tune detections for unusual administrative sessions, unexpected web requests, anomalous HTTP/S communication patterns, and changes outside maintenance windows.
- Correlate web shell persistence indicators with Lua execution behavior rather than relying on any single artifact, because ATT&CK does not provide Line Runner-specific detection logic.
- Review whether compression, file deletion, and exfiltration-over-C2 behaviors are visible on network devices; these are common blind spots compared with endpoint telemetry.
- Separate legitimate administrator activity, vendor support actions, and scheduled configuration changes from suspicious behavior to reduce false positives.
Mitigation priorities
- Prioritize accurate inventory and ownership of network devices, especially perimeter and remote-access infrastructure.
- Ensure supported firmware/software maintenance, secure configuration baselines, and controlled administrative access for network devices.
- Centralize and retain management-plane, web-interface, configuration, and network telemetry from network devices.
- Restrict and monitor administrative interfaces and web management exposure according to operational need.
- Maintain tested configuration backups and incident response procedures for isolating, preserving, rebuilding, or replacing compromised network devices.
Analyst notes and limits
The strongest decision value is to use Line Runner as a test case for network-device security maturity. Many organizations have strong EDR coverage but limited telemetry on VPNs, firewalls, and other perimeter devices. Glexia would prioritize confirming device inventory, logging, change control, and IR access before assuming that existing SOC coverage can detect or investigate this behavior.
The ATT&CK object has no official detection text, no specified tactics on the malware object itself, no aliases, and limited platform scope beyond Network Devices. Behavioral detail comes from ATT&CK relationships to techniques and the ArcaneDoor campaign relationship. Local device models, configurations, logging capabilities, and retained evidence are required to determine real exposure or detection coverage.
Line Runner
Line Runner is a persistent backdoor and web shell allowing threat actors to upload and execute arbitrary Lua scripts. Line Runner is associated with the ArcaneDoor campaign.[1][2]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1041 | Exfiltration Over C2 Channel | Line Runner utilizes HTTP to retrieve and exfiltrate information staged using Line Dancer.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1027.015 | Compression Sub-technique | Line Runner uses a ZIP payload that is automatically extracted with its contents, a LUA script, executed for initial execution via CVE-2024-20359.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1653 | Power Settings | Line Runner used CVE-2024-20353 to trigger victim devices to reboot, in the process unzipping and installing the Line Dancer payload.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Line Runner utilizes an HTTP-based Lua backdoor on victim machines.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1059.011 | Lua Sub-technique | Line Runner utilizes Lua scripts for command execution.CitationCisco ArcaneDoor 2024CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1505.003 | Web Shell Sub-technique | Line Runner is a persistent Lua-based web shell.CitationCCCS ArcaneDoor 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Line Runner removes its initial ZIP delivery archive after processing the enclosed LUA script.CitationCisco ArcaneDoor 2024 |
| Enterprise | T1557 | Adversary-in-the-Middle | Line Runner intercepts HTTP requests to the victim Cisco ASA, looking for a request with a 32-character, victim dependent parameter. If that parameter matches a value in the malware, a contained payload is then written to a Lua script and executed.CitationCisco ArcaneDoor 2024 |
Groups, software, and campaigns
C0046: ArcaneDoor
ArcaneDoor is a campaign targeting networking devices from Cisco and other vendors between July 2023 and April 2024, primarily focused on government and critical infrastructure networks. ArcaneDoor is associated with the deployment of the custom backdoors Line Runner and Line Dancer. ArcaneDoor is attributed to a group referred to as UAT4356 or STORM-1849, and is assessed to be a state-sponsored campaign.[1][2]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | b2a467a49e84… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
CCCS ArcaneDoor 2024
Canadian Centre for Cyber Security. (2024, April 24). Cyber Activity Impacting CISCO ASA VPNs. Retrieved January 6, 2025.
Open source URL -
[2]
Cisco ArcaneDoor 2024
Cisco Talos. (2024, April 24). ArcaneDoor - New espionage-focused campaign found targeting perimeter network devices. Retrieved January 6, 2025.
Open source URL -
[3]
mitre-attack S1188Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.