{"description": "Enterprise techniques used by Operation Digital Eye, ATT&CK campaign C0061 (v1.0)", "name": "Operation Digital Eye (C0061)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1087", "showSubtechniques": true}, {"techniqueID": "T1087.001", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used the local.exe tool to view local account information.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.004", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used SSH access enabled by authorized_keys files for remote execution.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used `cmd.exe` as a default method of execution for a custom version of [Mimikatz](https://attack.mitre.org/software/S0002) named bK2o.exe.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors created a service named Visual Studio Code Service to run Visual Studio code.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used SQL injection to compromise publicly exposed web and database servers.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1591", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors concealed malicious activity by using terms that aligned with the technological context of the targeted organization.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1665", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used public Cloud infrastructure to mask malicious activity.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors deleted files delivered to compromised hosts, often named with the pattern do.* such as do.exe.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors attempted to make filenames appear legitimate by tailoring them to the victim organization.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1106", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used native API such as `GetUserInfo`.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used third party tools including custom implementations of [Mimikatz](https://attack.mitre.org/software/S0002).(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.001", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors targeted memory from the LSASS process to extract credentials.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used `reg save` to retrieve credentials from the Security Account Manager (SAM) database.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069", "showSubtechniques": true}, {"techniqueID": "T1069.001", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used the local.exe tool to view group memberships.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219", "showSubtechniques": true}, {"techniqueID": "T1219.001", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors created Visual Studio Code dev tunnels to access targeted endpoints through the browser-based version of Visual Studio Code.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors moved laterally using RDP.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used [Ping](https://attack.mitre.org/software/S0097) for reconnaissance.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1505", "showSubtechniques": true}, {"techniqueID": "T1505.003", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors deployed a PHP-based webshell to maintain persistent access.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1614", "showSubtechniques": true}, {"techniqueID": "T1614.001", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used the local language of targeted organizations to disguise file system activity.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used `GetUserInfo` to identify current user information.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.002", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used the winsw tool to deploy a Visual Studio code executable as a Windows service.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "During [Operation Digital Eye](https://attack.mitre.org/campaigns/C0061), threat actors used a pass-the-hash capability to move laterally.(Citation: sentinelone operationDigitalEye Dec 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation Digital Eye", "color": "#66b1ff"}]}