Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Operation Wocao

Operation Wocao described activities carried out by a China-based cyber espionage adversary. Operation Wocao targeted entities within the government, managed service providers, energy, health care, and technology sectors across several countries, including China, France, Germany, the United Kingdom, and the United States. Operation Wocao used similar TTPs and tools to APT20, suggesting a possible overlap.(Citation: FoxIT Wocao December 2019)
ID: G0116
Associated Groups: 
Version: 1.0
Created: 17 Nov 2020
Last Modified: 12 Oct 2022

Associated Group Descriptions

Name Description

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Operation Wocao has used the net command to retrieve information about domain accounts.(Citation: FoxIT Wocao December 2019)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Operation Wocao has archived collected files with WinRAR, prior to exfiltration.(Citation: FoxIT Wocao December 2019)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Operation Wocao has used PowerShell on compromised systems.(Citation: FoxIT Wocao December 2019)

.003 Command and Scripting Interpreter: Windows Command Shell

Operation Wocao has spawned a new cmd.exe process to execute commands.(Citation: FoxIT Wocao December 2019)

.005 Command and Scripting Interpreter: Visual Basic

Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems.(Citation: FoxIT Wocao December 2019)

.006 Command and Scripting Interpreter: Python

Operation Wocao's backdoors have been written in Python and compiled with py2exe.(Citation: FoxIT Wocao December 2019)

Enterprise T1555 .005 Credentials from Password Stores: Password Managers

Operation Wocao has accessed and collected credentials from password managers.(Citation: FoxIT Wocao December 2019)

Enterprise T1074 .001 Data Staged: Local Data Staging

Operation Wocao has staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Operation Wocao's proxy implementation "Agent" can upgrade the socket in use to a TLS socket.(Citation: FoxIT Wocao December 2019)

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Operation Wocao has used PowerShell to add and delete rules in the Windows firewall.(Citation: FoxIT Wocao December 2019)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.(Citation: FoxIT Wocao December 2019)

.004 Indicator Removal: File Deletion

Operation Wocao has deleted logs and executable files used during an intrusion.(Citation: FoxIT Wocao December 2019)

Enterprise T1056 .001 Input Capture: Keylogging

Operation Wocao has obtained the password for the victim's password manager via a custom keylogger.(Citation: FoxIT Wocao December 2019)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Operation Wocao has used ProcDump to dump credentials from memory.(Citation: FoxIT Wocao December 2019)

.006 OS Credential Dumping: DCSync

Operation Wocao has used Mimikatz's DCSync to dump credentials from the memory of the targeted system.(Citation: FoxIT Wocao December 2019)

Enterprise T1027 .005 Obfuscated Files or Information: Indicator Removal from Tools

Operation Wocao has edited variable names within the Impacket suite to avoid automated detection.(Citation: FoxIT Wocao December 2019)

Enterprise T1069 .001 Permission Groups Discovery: Local Groups

Operation Wocao has used the command net localgroup administrators to list all administrators part of a local group.(Citation: FoxIT Wocao December 2019)

Enterprise T1090 .001 Proxy: Internal Proxy

Operation Wocao can proxy traffic through multiple infected systems.(Citation: FoxIT Wocao December 2019)

.003 Proxy: Multi-hop Proxy

Operation Wocao has executed commands through the installed web shell via Tor exit nodes.(Citation: FoxIT Wocao December 2019)

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Operation Wocao has used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.(Citation: FoxIT Wocao December 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems.(Citation: FoxIT Wocao December 2019)

Enterprise T1505 .003 Server Software Component: Web Shell

Operation Wocao has used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.(Citation: FoxIT Wocao December 2019)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

Operation Wocao has used scripts to detect security software.(Citation: FoxIT Wocao December 2019)

Enterprise T1558 .003 Steal or Forge Kerberos Tickets: Kerberoasting

Operation Wocao has used PowerSploit's Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.(Citation: FoxIT Wocao December 2019)

Enterprise T1569 .002 System Services: Service Execution

Operation Wocao has created services on remote systems for execution purposes.(Citation: FoxIT Wocao December 2019)

Enterprise T1552 .004 Unsecured Credentials: Private Keys

Operation Wocao has used Mimikatz to dump certificates and private keys from the Windows certificate store.(Citation: FoxIT Wocao December 2019)

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Operation Wocao has used domain credentials, including domain admin, for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)

.003 Valid Accounts: Local Accounts

Operation Wocao has used local account credentials found during the intrusion for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)

Software

ID Name References Techniques
S0521 BloodHound (Citation: CrowdStrike BloodHound April 2018) (Citation: FoxIT Wocao December 2019) (Citation: GitHub Bloodhound) Domain Groups, Group Policy Discovery, Archive Collected Data, Password Policy Discovery, Local Groups, Domain Account, Local Account, System Owner/User Discovery, Remote System Discovery, Native API, PowerShell, Domain Trust Discovery
S0194 PowerSploit (Citation: FoxIT Wocao December 2019) (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Command Obfuscation, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0357 Impacket (Citation: FoxIT Wocao December 2019) (Citation: Impacket Tools) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S0105 dsquery (Citation: FoxIT Wocao December 2019) (Citation: TechNet Dsquery) Domain Account, Domain Trust Discovery, Domain Groups, System Information Discovery
S0104 netstat (Citation: FoxIT Wocao December 2019) (Citation: TechNet Netstat) System Network Connections Discovery
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: FoxIT Wocao December 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.