{"description": "Enterprise techniques used by Operation Honeybee, ATT&CK campaign C0006 (v1.1)", "name": "Operation Honeybee (C0006)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors used the malicious NTWDBLIB.DLL and `cliconfig.exe` to bypass UAC protections.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), threat actors registered domains for C2.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "For [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), at least one identified persona was used to register for a free account for a control server.(Citation: McAfee Honeybee) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.002", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors had the ability to use FTP for C2.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors uses zip to pack collected files before exfiltration.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), various implants used batch scripting and `cmd.exe` for execution.(Citation: McAfee Honeybee) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "For [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors used a Visual Basic script embedded within a Word document to download an implant.(Citation: McAfee Honeybee) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), threat actors installed DLLs and backdoors as Windows services.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors collected data from compromised hosts.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), stolen data was copied into a text file using the format `From  (- --).txt` prior to compression, encoding, and exfiltration.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), malicious files were decoded prior to execution.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), attackers created email addresses to register for a free account for a control server used for the implants.(Citation: McAfee Honeybee) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors uploaded stolen files to their C2 servers.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors used a malicious DLL to search for files with specific keywords.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.011", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors used a batch file that modified the COMSysApp service to load a malicious ipnet.dll payload and to load a DLL into the `svchost.exe` process.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors used batch files that reduced their fingerprint on a compromised system by deleting malware-related files.(Citation: McAfee Honeybee) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors downloaded additional malware and malicious scripts onto a compromised host.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors modified the MaoCheng dropper so its icon appeared as a Word document.(Citation: McAfee Honeybee)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors used a legitimate Windows executable and secure directory for their payloads to bypass UAC.(Citation: McAfee Honeybee) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors used batch files that modified registry keys.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors deployed malware that used API calls, including `CreateProcessAsUser`.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors used Base64 to encode files with a custom key.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.004", "comment": "For [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors stole a digital signature from Adobe Systems to use with their MaoCheng dropper.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors obtained a list of running processes on a victim machine using `cmd /c tasklist > %temp%\\temp.ini`.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors deployed the MaoCheng dropper with a stolen Adobe Systems digital signature.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), the threat actors collected the computer name, OS, and other system information using `cmd /c systeminfo > %temp%\\ temp.ini`.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), threat actors ran sc start to start the COMSysApp as part of the service hijacking and sc stop to stop and reconfigure the COMSysApp.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "During [Operation Honeybee](https://attack.mitre.org/campaigns/C0006), threat actors relied on a victim to enable macros within a malicious Word document.(Citation: McAfee Honeybee)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation Honeybee", "color": "#66b1ff"}]}