{"description": "Enterprise techniques used by Operation Sharpshooter, ATT&CK campaign C0013 (v1.0)", "name": "Operation Sharpshooter (C0013)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "For [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors used Dropbox to host lure documents and their first-stage downloader.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), a first-stage downloader installed [Rising Sun](https://attack.mitre.org/software/S0448) to `%Startup%\\mssync.exe` on a compromised host.(Citation: McAfee Sharpshooter December 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors used a VBA macro to execute a simple downloader that installed [Rising Sun](https://attack.mitre.org/software/S0448).(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.004", "comment": "For [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors compromised a server they used as part of the campaign's infrastructure.(Citation: Bleeping Computer Op Sharpshooter March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "For [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors used the [Rising Sun](https://attack.mitre.org/software/S0448) modular backdoor.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), additional payloads were downloaded after a target was infected with a first-stage downloader.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.002", "comment": "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), threat actors sent malicious Word OLE documents to victims.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), threat actors installed [Rising Sun](https://attack.mitre.org/software/S0448) in the Startup folder and disguised it as `mssync.exe`.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the first stage downloader resolved various Windows libraries and APIs, including `LoadLibraryA()`, `GetProcAddress()`, and `CreateProcessA()`.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), threat actors leveraged embedded shellcode to inject a downloader into the memory of Word.(Citation: Threatpost New Op Sharpshooter Data March 2019)    ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "For [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors used the ExpressVPN service to hide their location.(Citation: Bleeping Computer Op Sharpshooter March 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "For [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors staged malicious files on Dropbox and other websites.(Citation: McAfee Sharpshooter December 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "During [Operation Sharpshooter](https://attack.mitre.org/campaigns/C0013), the threat actors relied on victims executing malicious Microsoft Word or PDF files.(Citation: McAfee Sharpshooter December 2018) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation Sharpshooter", "color": "#66b1ff"}]}