Operation Wocao

Operation Wocao has used the net command to retrieve information about domain accounts.(Citation: FoxIT Wocao December 2019)

Operation Wocao has archived collected files with WinRAR, prior to exfiltration.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used PowerShell on compromised systems.(Citation: FoxIT Wocao December 2019)

Operation Wocao has accessed and collected credentials from password managers.(Citation: FoxIT Wocao December 2019)

Operation Wocao has staged archived files in a temporary directory prior to exfiltration.(Citation: FoxIT Wocao December 2019)

Operation Wocao's proxy implementation "Agent" can upgrade the socket in use to a TLS socket.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used PowerShell to add and delete rules in the Windows firewall.(Citation: FoxIT Wocao December 2019)

Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.(Citation: FoxIT Wocao December 2019)

Operation Wocao has obtained the password for the victim's password manager via a custom keylogger.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used ProcDump to dump credentials from memory.(Citation: FoxIT Wocao December 2019)

Operation Wocao has edited variable names within the Impacket suite to avoid automated detection.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used the command net localgroup administrators to list all administrators part of a local group.(Citation: FoxIT Wocao December 2019)

Operation Wocao can proxy traffic through multiple infected systems.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used scripts to detect security software.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used PowerSploit's Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.(Citation: FoxIT Wocao December 2019)

Operation Wocao has created services on remote systems for execution purposes.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used Mimikatz to dump certificates and private keys from the Windows certificate store.(Citation: FoxIT Wocao December 2019)

Operation Wocao has used domain credentials, including domain admin, for lateral movement and privilege escalation.(Citation: FoxIT Wocao December 2019)