Operation Digital Eye, Campaign C0061 (original) (raw)
Enterprise
Account Discovery: Local Account
During Operation Digital Eye, threat actors used the local.exe tool to view local account information.[1]
Enterprise
Account Manipulation: SSH Authorized Keys
During Operation Digital Eye, threat actors used SSH access enabled by authorized_keys files for remote execution.[1]
Enterprise
Command and Scripting Interpreter: Windows Command Shell
During Operation Digital Eye, threat actors used cmd.exe as a default method of execution for a custom version of Mimikatz named bK2o.exe.[1]
Enterprise
Create or Modify System Process: Windows Service
During Operation Digital Eye, threat actors created a service named Visual Studio Code Service to run Visual Studio code.[1]
Enterprise
Exploit Public-Facing Application
During Operation Digital Eye, threat actors used SQL injection to compromise publicly exposed web and database servers.[1]
Enterprise
During Operation Digital Eye, threat actors concealed malicious activity by using terms that aligned with the technological context of the targeted organization.[1]
Enterprise
During Operation Digital Eye, threat actors used public Cloud infrastructure to mask malicious activity.[1]
Enterprise
Indicator Removal: File Deletion
During Operation Digital Eye, threat actors deleted files delivered to compromised hosts, often named with the pattern do.* such as do.exe.[1]
Enterprise
Masquerading: Match Legitimate Resource Name or Location
During Operation Digital Eye, threat actors attempted to make filenames appear legitimate by tailoring them to the victim organization.[1]
Enterprise
During Operation Digital Eye, threat actors used native API such as GetUserInfo.[1]
Enterprise
During Operation Digital Eye, threat actors used third party tools including custom implementations of Mimikatz.[1]
Enterprise
OS Credential Dumping: LSASS Memory
During Operation Digital Eye, threat actors targeted memory from the LSASS process to extract credentials.[1]
OS Credential Dumping: Security Account Manager
During Operation Digital Eye, threat actors used reg save to retrieve credentials from the Security Account Manager (SAM) database.[1]
Enterprise
Permission Groups Discovery: Local Groups
During Operation Digital Eye, threat actors used the local.exe tool to view group memberships.[1]
Enterprise
Remote Access Tools: IDE Tunneling
During Operation Digital Eye, threat actors created Visual Studio Code dev tunnels to access targeted endpoints through the browser-based version of Visual Studio Code.[1]
Enterprise
Remote Services: Remote Desktop Protocol
During Operation Digital Eye, threat actors moved laterally using RDP.[1]
Enterprise
During Operation Digital Eye, threat actors used Ping for reconnaissance.[1]
Enterprise
Server Software Component: Web Shell
During Operation Digital Eye, threat actors deployed a PHP-based webshell to maintain persistent access.[1]
Enterprise
System Location Discovery: System Language Discovery
During Operation Digital Eye, threat actors used the local language of targeted organizations to disguise file system activity.[1]
Enterprise
During Operation Digital Eye, threat actors used GetUserInfo to identify current user information.[1]
Enterprise
System Services: Service Execution
During Operation Digital Eye, threat actors used the winsw tool to deploy a Visual Studio code executable as a Windows service.[1]
Enterprise
Use Alternate Authentication Material: Pass the Hash
During Operation Digital Eye, threat actors used a pass-the-hash capability to move laterally.[1]