{"description": "Enterprise techniques used by Operation CuckooBees, ATT&CK campaign C0012 (v1.1)", "name": "Operation CuckooBees (C0012)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `net user` command to gather account information.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `dsquery` and `dsget` commands to get domain environment information and to query users in administrative groups.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors enabled HTTP and HTTPS listeners.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the Makecab utility to compress and a version of WinRAR to create password-protected archives of stolen data prior to exfiltration.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.006", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), attackers used a signed kernel rootkit to establish additional persistence.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used batch scripts to perform reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors executed an encoded VBScript file using `wscript` and wrote the decoded output to a text file.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors modified the `IKEEXT` and `PrintNotify` Windows services for persistence.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors collected data, files, and other information from compromised networks.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors exploited multiple vulnerabilities in externally facing servers.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors enabled WinRM over HTTP/HTTPS as a backup persistence mechanism using the following command: `cscript //nologo \"C:\\Windows\\System32\\winrm.vbs\" set winrm/config/service@{EnableCompatibilityHttpsListener=\"true\"}`.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used `dir c:\\\\` to search for files.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the legitimate Windows services `IKEEXT` and `PrintNotify` to side-load malicious DLLs.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors renamed a malicious executable to `rundll32.exe` to allow it to blend in with other Windows system files.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1135", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `net share` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors executed an encoded VBScript file.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.011", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors stroed payloads in Windows CLFS (Common Log File System) transactional logs.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors obtained publicly-available JSP code that was used to deploy a webshell onto a compromised server.(Citation: Cybereason OperationCuckooBees May 2022)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors leveraged a custom tool to dump OS credentials and used following commands: `reg save HKLM\\\\SYSTEM system.hiv`, `reg save HKLM\\\\SAM sam.hiv`, and `reg save HKLM\\\\SECURITY security.hiv`, to dump SAM, SYSTEM and SECURITY hives.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1201", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `net accounts` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `fsutil fsinfo drives` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `net group` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `tasklist` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1018", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `net view` and `ping` commands as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used scheduled tasks to execute batch scripts for lateral movement with the following command: `SCHTASKS /Create /S  /U  /p  /SC ONCE /TN test /TR  /ST  /RU SYSTEM.`(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors generated a web shell within a vulnerable Enterprise Resource Planning Web Application Server as a persistence mechanism.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `systeminfo` command to gather details about a compromised system.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used `ipconfig`, `nbtstat`, `tracert`, `route print`, and `cat /etc/hosts` commands.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `net session`, `net use`, and `netstat` commands as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `query user` and `whoami` commands as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `net start` command as part of their initial reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1124", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used the `net time` command as part of their advanced reconnaissance.(Citation: Cybereason OperationCuckooBees May 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "During [Operation CuckooBees](https://attack.mitre.org/campaigns/C0012), the threat actors used compromised domain administrator credentials as part of their lateral movement.(Citation: Cybereason OperationCuckooBees May 2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation CuckooBees", "color": "#66b1ff"}]}