{"description": "Enterprise techniques used by Operation Wocao, ATT&CK campaign C0014 (v1.2)", "name": "Operation Wocao (C0014)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used the `net` command to retrieve information about domain accounts.(Citation: FoxIT Wocao December 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "For [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors purchased servers with Bitcoin to use during the operation.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors\u2019 XServer tool communicated using HTTP and HTTPS.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1560", "showSubtechniques": true}, {"techniqueID": "T1560.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors archived collected files with WinRAR, prior to exfiltration.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used a script to collect information about the infected system.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1115", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors collected clipboard data in plaintext.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used PowerShell on compromised systems.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors spawned a new `cmd.exe` process to execute commands.(Citation: FoxIT Wocao December 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used VBScript to conduct reconnaissance on targeted systems.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors' backdoors were written in Python and compiled with py2exe.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors accessed and collected credentials from password managers.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors exfiltrated files and directories of interest from the targeted system.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors encrypted IP addresses used for \"Agent\" proxy hops with RC4.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors developed their own custom webshells to upload to compromised servers.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1686", "showSubtechniques": true}, {"techniqueID": "T1686.003", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used PowerShell to add and delete rules in the Windows firewall.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "showSubtechniques": true}, {"techniqueID": "T1685.005", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors deleted all Windows system and security event logs using `/Q /c wevtutil cl system` and `/Q /c wevtutil cl security`.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1573", "showSubtechniques": true}, {"techniqueID": "T1573.002", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors' proxy implementation \"Agent\" upgraded the socket in use to a TLS socket.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.002", "comment": "For [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors registered email accounts to use during the campaign.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used the XServer backdoor to exfiltrate data.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1190", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors gained initial access by exploiting vulnerabilities in JBoss webservers.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used stolen credentials to connect to the victim's network via VPN.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors gathered a recursive directory listing to find files and directories of interest.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1589", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors targeted people based on their organizational roles and privileges.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors consistently removed traces of their activity by first overwriting a file using `/c cd /d c:\\windows\\temp\\ & copy \\\\\\c$\\windows\\system32\\devmgr.dll \\\\\\c$\\windows\\temp\\LMAKSW.ps1 /y` and then deleting the overwritten file using `/c cd /d c:\\windows\\temp\\ & del \\\\\\c$\\windows\\temp\\LMAKSW.ps1`.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors downloaded additional files to the infected system.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors obtained the password for the victim's password manager via a custom keylogger.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1570", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used SMB to copy files to and from target systems.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1680", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors renamed some tools and executables to appear as legitimate programs.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors enabled Wdigest by changing the `HKLM\\SYSTEM\\\\ControlSet001\\\\Control\\\\SecurityProviders\\\\WDigest` registry value from 0 (disabled) to 1 (enabled).(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1111", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used a custom collection method to intercept two-factor authentication soft tokens.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used the `CreateProcessA` and `ShellExecute` API functions to launch commands after being injected into a selected process.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1135", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors discovered network disks mounted to the system using [netstat](https://attack.mitre.org/software/S0104).(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used a custom protocol for command and control.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.005", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors edited variable names within the [Impacket](https://attack.mitre.org/software/S0357) suite to avoid automated detection.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "For [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors obtained a variety of open source tools, including JexBoss, KeeThief, and [BloodHound](https://attack.mitre.org/software/S0521).(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used ProcDump to dump credentials from memory.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.006", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used [Mimikatz](https://attack.mitre.org/software/S0002)'s DCSync to dump credentials from the memory of the targeted system.(Citation: FoxIT Wocao December 2019) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors discovered removable disks attached to a system.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used the command `net localgroup administrators` to list all administrators part of a local group.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors used `tasklist` to collect a list of running processes on an infected system.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors injected code into a selected process, which in turn launches a command as a child process of the original.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used a custom proxy tool called \"Agent\" which has support for multiple hops.(Citation: FoxIT Wocao December 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1090.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors proxied traffic through multiple infected systems.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors executed commands through the installed web shell via [Tor](https://attack.mitre.org/software/S0183) exit nodes.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), the threat actors executed `/c cd /d c:\\windows\\temp\\ & reg query HKEY_CURRENT_USER\\Software\\\\PuTTY\\Sessions\\` to detect recent PuTTY sessions, likely to further lateral movement.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used [Impacket](https://attack.mitre.org/software/S0357)'s smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used `nbtscan` and `ping` to discover remote systems, as well as `dsquery subnet` on a domain controller to retrieve all subnets in the Active Directory.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used scheduled tasks to execute malicious PowerShell code on remote systems.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1518", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors collected a list of installed software on the infected system.(Citation: FoxIT Wocao December 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used scripts to detect security software.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1558", "showSubtechniques": true}, {"techniqueID": "T1558.003", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used [PowerSploit](https://attack.mitre.org/software/S0194)'s `Invoke-Kerberoast` module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors discovered the OS versions of systems connected to a targeted network.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors discovered the local network configuration with `ipconfig`.(Citation: FoxIT Wocao December 2019)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used a Visual Basic script that checked for internet connectivity.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1049", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors collected a list of open connections on the infected system using `netstat` and checks whether it has an internet connection.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1033", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used the `tasklist` command to search for one of its backdoors.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors created services on remote systems for execution purposes.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1124", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used the `time` command to retrieve the current time of a compromised system.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used [Mimikatz](https://attack.mitre.org/software/S0002) to dump certificates and private keys from the Windows certificate store.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used valid VPN credentials to gain initial access.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used domain credentials, including domain admin, for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.003", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "During [Operation Wocao](https://attack.mitre.org/campaigns/C0014), threat actors has used WMI to execute commands.(Citation: FoxIT Wocao December 2019)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation Wocao", "color": "#66b1ff"}]}