C0014: Operation Wocao
Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[1]
Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[1]
Analyst context for executives and security teams
Operation Wocao matters because ATT&CK describes it as a cyber espionage campaign affecting many countries and sectors, including government, managed service providers, aviation, energy, finance, health care, software development, and transportation. For leaders, the decision value is not the campaign name itself; it is the pattern of enterprise compromise behaviors linked to it: credential theft, Active Directory discovery, lateral movement over SMB/admin shares, use of dual-use administration tools, stealth, C2 obfuscation, and exfiltration over C2.
Executive priority
Treat this as a readiness check for identity security, Windows/Active Directory monitoring, managed service provider exposure, and incident response evidence quality. The relationship set emphasizes behaviors that can turn one compromised host or account into broader business risk: credential dumping, domain replication abuse, AD attack-path discovery, remote execution, and data collection/exfiltration. Executives should ask whether the organization can prove visibility into privileged credential use, domain controller activity, remote admin tooling, PowerShell/offensive framework use, and suspicious outbound C2-like traffic.
Technical view
ATT&CK provides no campaign-specific detection text and no campaign-level platforms or tactics, so validation should be built from the related software and techniques. SOC and IR teams should prioritize Windows and AD evidence because related tools include Mimikatz, PsExec, dsquery, PowerSploit, BloodHound, Wevtutil, and Impacket, and related techniques include LSASS Memory, DCSync, SMB/Windows Admin Shares, Query Registry, discovery activity, command obfuscation, indicator removal from tools, and exfiltration over C2. Detection engineering should test whether telemetry can connect identity events, process execution, command lines, PowerShell activity, SMB/admin share access, domain controller replication-like activity, event log utility usage, and outbound network behavior into a coherent intrusion narrative.
Likely telemetry
- Windows process creation and command-line logging for PsExec-like execution, dsquery, wevtutil, PowerShell, netstat, registry queries, and discovery commands
- Endpoint telemetry for LSASS access, credential dumping indicators, suspicious tool execution, renamed tools, and command obfuscation
- Active Directory and domain controller logs relevant to account enumeration, group/domain discovery, BloodHound-like collection, and DCSync/replication abuse
- SMB/admin share access logs and remote service execution evidence
- PowerShell logging and script/module execution evidence for PowerSploit-like activity
Detection direction
- Do not rely on tool-name signatures alone; several related tools are legitimate or open-source dual-use utilities, and ATT&CK includes indicator removal and command obfuscation in the relationship set.
- Tune detections around behavior chains: credential access followed by AD discovery, remote execution, SMB/admin share use, and outbound C2/exfiltration-like traffic.
- Separate normal administrator activity from suspicious use by validating user context, host role, timing, source/destination pairs, command arguments, and whether activity originates from expected admin systems.
- Validate domain controller monitoring specifically for DCSync-style abuse and unusual replication-related access by non-standard principals.
- Hunt for AD reconnaissance patterns involving dsquery and BloodHound-like collection, especially when paired with credential access or lateral movement evidence.
Mitigation priorities
- Prioritize identity hardening: reduce privileged account exposure, review domain replication privileges, and limit where high-value credentials can be used.
- Harden and monitor Windows administration paths, including SMB/admin shares, remote service execution, and approved use of PsExec-like tools.
- Strengthen endpoint controls around LSASS access, suspicious PowerShell/offensive framework execution, and execution of renamed or obfuscated tools.
- Improve AD attack-path management by reviewing excessive privileges and relationships that could enable lateral movement or domain escalation.
- Ensure network egress monitoring and filtering can support investigation of anonymized or obfuscated C2-like traffic and exfiltration over existing channels.
Analyst notes and limits
The campaign description cites suspected China-based actors and possible overlap with APT20, but this take does not treat attribution as a control decision by itself. The most defensible use for defenders is to map the related ATT&CK software and techniques to local logging, identity controls, and incident response procedures. Managed detection and consulting reviews should focus on whether the organization can correlate dual-use tool activity with credential access, AD reconnaissance, lateral movement, and C2/exfiltration signals.
ATT&CK provides no official detection guidance for this campaign, and the campaign object does not specify platforms or tactics. The technical recommendations therefore come from the supplied relationship context, not from a complete intrusion playbook. Local baselines, approved administration practices, architecture, and telemetry retention are required to determine actual risk and coverage.
Operation Wocao
Operation Wocao was a cyber espionage campaign that targeted organizations around the world, including in Brazil, China, France, Germany, Italy, Mexico, Portugal, Spain, the United Kingdom, and the United States. The suspected China-based actors compromised government organizations and managed service providers, as well as aviation, construction, energy, finance, health care, insurance, offshore engineering, software development, and transportation companies.[1]
Security researchers assessed the Operation Wocao actors used similar TTPs and tools as APT20, suggesting a possible overlap. Operation Wocao was named after an observed command line entry by one of the threat actors, possibly out of frustration from losing webshell access.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1012 | Query Registry | During Operation Wocao, the threat actors executed `/c cd /d c:\windows\temp\ & reg query HKEY_CURRENT_USER\Software\ |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | During Operation Wocao, threat actors used ProcDump to dump credentials from memory.CitationFoxIT Wocao December 2019 |
| Enterprise | T1056.001 | Keylogging Sub-technique | During Operation Wocao, threat actors obtained the password for the victim's password manager via a custom keylogger.CitationFoxIT Wocao December 2019 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | During Operation Wocao, threat actors used scripts to detect security software.CitationFoxIT Wocao December 2019 |
| Enterprise | T1018 | Remote System Discovery | During Operation Wocao, threat actors used `nbtscan` and `ping` to discover remote systems, as well as `dsquery subnet` on a domain controller to retrieve all subnets in the Active Directory.CitationFoxIT Wocao December 2019 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | During Operation Wocao, threat actors' proxy implementation "Agent" upgraded the socket in use to a TLS socket.CitationFoxIT Wocao December 2019 |
| Enterprise | T1587.001 | Malware Sub-technique | During Operation Wocao, threat actors developed their own custom webshells to upload to compromised servers.CitationFoxIT Wocao December 2019 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During Operation Wocao, threat actors spawned a new `cmd.exe` process to execute commands.CitationFoxIT Wocao December 2019 |
| Enterprise | T1555.005 | Password Managers Sub-technique | During Operation Wocao, threat actors accessed and collected credentials from password managers.CitationFoxIT Wocao December 2019 |
| Enterprise | T1552.004 | Private Keys Sub-technique | During Operation Wocao, threat actors used Mimikatz to dump certificates and private keys from the Windows certificate store.CitationFoxIT Wocao December 2019 |
| Enterprise | T1119 | Automated Collection | During Operation Wocao, threat actors used a script to collect information about the infected system.CitationFoxIT Wocao December 2019 |
| Enterprise | T1049 | System Network Connections Discovery | During Operation Wocao, threat actors collected a list of open connections on the infected system using `netstat` and checks whether it has an internet connection.CitationFoxIT Wocao December 2019 |
| Enterprise | T1585.002 | Email Accounts Sub-technique | For Operation Wocao, the threat actors registered email accounts to use during the campaign.CitationFoxIT Wocao December 2019 |
| Enterprise | T1124 | System Time Discovery | During Operation Wocao, threat actors used the `time` command to retrieve the current time of a compromised system.CitationFoxIT Wocao December 2019 |
| Enterprise | T1571 | Non-Standard Port | During Operation Wocao, the threat actors used uncommon high ports for its backdoor C2, including ports 25667 and 47000.CitationFoxIT Wocao December 2019 |
| Enterprise | T1686.003 | Windows Host Firewall Sub-technique | During Operation Wocao, threat actors used PowerShell to add and delete rules in the Windows firewall.CitationFoxIT Wocao December 2019 |
| Enterprise | T1111 | Multi-Factor Authentication Interception | During Operation Wocao, threat actors used a custom collection method to intercept two-factor authentication soft tokens.CitationFoxIT Wocao December 2019 |
| Enterprise | T1190 | Exploit Public-Facing Application | During Operation Wocao, threat actors gained initial access by exploiting vulnerabilities in JBoss webservers.CitationFoxIT Wocao December 2019 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | During Operation Wocao, threat actors executed commands through the installed web shell via Tor exit nodes.CitationFoxIT Wocao December 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During Operation Wocao, threat actors staged archived files in a temporary directory prior to exfiltration.CitationFoxIT Wocao December 2019 |
| Enterprise | T1033 | System Owner/User Discovery | During Operation Wocao, threat actors enumerated sessions and users on a remote host, and identified privileged users logged into a targeted system.CitationFoxIT Wocao December 2019 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | During Operation Wocao, threat actors’ XServer tool communicated using HTTP and HTTPS.CitationFoxIT Wocao December 2019 |
| Enterprise | T1569.002 | Service Execution Sub-technique | During Operation Wocao, threat actors created services on remote systems for execution purposes.CitationFoxIT Wocao December 2019 |
| Enterprise | T1005 | Data from Local System | During Operation Wocao, threat actors exfiltrated files and directories of interest from the targeted system.CitationFoxIT Wocao December 2019 |
| Enterprise | T1115 | Clipboard Data | During Operation Wocao, threat actors collected clipboard data in plaintext.CitationFoxIT Wocao December 2019 |
| Enterprise | T1583.004 | Server Sub-technique | For Operation Wocao, the threat actors purchased servers with Bitcoin to use during the operation.CitationFoxIT Wocao December 2019 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | During Operation Wocao, threat actors archived collected files with WinRAR, prior to exfiltration.CitationFoxIT Wocao December 2019 |
| Enterprise | T1106 | Native API | During Operation Wocao, threat actors used the `CreateProcessA` and `ShellExecute` API functions to launch commands after being injected into a selected process.CitationFoxIT Wocao December 2019 |
| Enterprise | T1069.001 | Local Groups Sub-technique | During Operation Wocao, threat actors used the command `net localgroup administrators` to list all administrators part of a local group.CitationFoxIT Wocao December 2019 |
| Enterprise | T1078 | Valid Accounts | During Operation Wocao, threat actors used valid VPN credentials to gain initial access.CitationFoxIT Wocao December 2019 |
| Enterprise | T1135 | Network Share Discovery | During Operation Wocao, threat actors discovered network disks mounted to the system using netstat.CitationFoxIT Wocao December 2019 |
| Enterprise | T1070.004 | File Deletion Sub-technique | During Operation Wocao, the threat actors consistently removed traces of their activity by first overwriting a file using `/c cd /d c:\windows\temp\ & copy \\ |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | During Operation Wocao, the threat actors deleted all Windows system and security event logs using `/Q /c wevtutil cl system` and `/Q /c wevtutil cl security`.CitationFoxIT Wocao December 2019 |
| Enterprise | T1001 | Data Obfuscation | During Operation Wocao, threat actors encrypted IP addresses used for "Agent" proxy hops with RC4.CitationFoxIT Wocao December 2019 |
| Enterprise | T1588.002 | Tool Sub-technique | For Operation Wocao, the threat actors obtained a variety of open source tools, including JexBoss, KeeThief, and BloodHound.CitationFoxIT Wocao December 2019 |
| Enterprise | T1558.003 | Kerberoasting Sub-technique | During Operation Wocao, threat actors used PowerSploit's `Invoke-Kerberoast` module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.CitationFoxIT Wocao December 2019 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | During Operation Wocao, threat actors used Impacket's smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.CitationFoxIT Wocao December 2019 |
| Enterprise | T1570 | Lateral Tool Transfer | During Operation Wocao, threat actors used SMB to copy files to and from target systems.CitationFoxIT Wocao December 2019 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During Operation Wocao, threat actors used VBScript to conduct reconnaissance on targeted systems.CitationFoxIT Wocao December 2019 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | During Operation Wocao, threat actors used a Visual Basic script that checked for internet connectivity.CitationFoxIT Wocao December 2019 |
| Enterprise | T1087.002 | Domain Account Sub-technique | During Operation Wocao, threat actors used the `net` command to retrieve information about domain accounts.CitationFoxIT Wocao December 2019 |
| Enterprise | T1078.002 | Domain Accounts Sub-technique | During Operation Wocao, threat actors used domain credentials, including domain admin, for lateral movement and privilege escalation.CitationFoxIT Wocao December 2019 |
| Enterprise | T1055 | Process Injection | During Operation Wocao, threat actors injected code into a selected process, which in turn launches a command as a child process of the original.CitationFoxIT Wocao December 2019 |
| Enterprise | T1083 | File and Directory Discovery | During Operation Wocao, threat actors gathered a recursive directory listing to find files and directories of interest.CitationFoxIT Wocao December 2019 |
| Enterprise | T1589 | Gather Victim Identity Information | During Operation Wocao, threat actors targeted people based on their organizational roles and privileges.CitationFoxIT Wocao December 2019 |
| Enterprise | T1059.006 | Python Sub-technique | During Operation Wocao, threat actors' backdoors were written in Python and compiled with py2exe.CitationFoxIT Wocao December 2019 |
| Enterprise | T1112 | Modify Registry | During Operation Wocao, the threat actors enabled Wdigest by changing the `HKLM\SYSTEM\\ControlSet001\\Control\\SecurityProviders\\WDigest` registry value from 0 (disabled) to 1 (enabled).CitationFoxIT Wocao December 2019 |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | During Operation Wocao, threat actors proxied traffic through multiple infected systems.CitationFoxIT Wocao December 2019 |
| Enterprise | T1090 | Proxy | During Operation Wocao, threat actors used a custom proxy tool called "Agent" which has support for multiple hops.CitationFoxIT Wocao December 2019 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | During Operation Wocao, threat actors used the XServer backdoor to exfiltrate data.CitationFoxIT Wocao December 2019 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | During Operation Wocao, the threat actors renamed some tools and executables to appear as legitimate programs.CitationFoxIT Wocao December 2019 |
| Enterprise | T1007 | System Service Discovery | During Operation Wocao, threat actors used the `tasklist` command to search for one of its backdoors.CitationFoxIT Wocao December 2019 |
| Enterprise | T1120 | Peripheral Device Discovery | During Operation Wocao, threat actors discovered removable disks attached to a system.CitationFoxIT Wocao December 2019 |
| Enterprise | T1003.006 | DCSync Sub-technique | During Operation Wocao, threat actors used Mimikatz's DCSync to dump credentials from the memory of the targeted system.CitationFoxIT Wocao December 2019 |
| Enterprise | T1027.005 | Indicator Removal from Tools Sub-technique | During Operation Wocao, threat actors edited variable names within the Impacket suite to avoid automated detection.CitationFoxIT Wocao December 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | During Operation Wocao, threat actors used scheduled tasks to execute malicious PowerShell code on remote systems.CitationFoxIT Wocao December 2019 |
| Enterprise | T1082 | System Information Discovery | During Operation Wocao, threat actors discovered the OS versions of systems connected to a targeted network.CitationFoxIT Wocao December 2019 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | During Operation Wocao, threat actors executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.CitationFoxIT Wocao December 2019 |
| Enterprise | T1059.001 | PowerShell Sub-technique | During Operation Wocao, threat actors used PowerShell on compromised systems.CitationFoxIT Wocao December 2019 |
| Enterprise | T1047 | Windows Management Instrumentation | During Operation Wocao, threat actors has used WMI to execute commands.CitationFoxIT Wocao December 2019 |
| Enterprise | T1046 | Network Service Discovery | During Operation Wocao, threat actors scanned for open ports and used nbtscan to find NETBIOS nameservers.CitationFoxIT Wocao December 2019 |
| Enterprise | T1095 | Non-Application Layer Protocol | During Operation Wocao, threat actors used a custom protocol for command and control.CitationFoxIT Wocao December 2019 |
| Enterprise | T1016 | System Network Configuration Discovery | During Operation Wocao, threat actors discovered the local network configuration with `ipconfig`.CitationFoxIT Wocao December 2019 |
| Enterprise | T1133 | External Remote Services | During Operation Wocao, threat actors used stolen credentials to connect to the victim's network via VPN.CitationFoxIT Wocao December 2019 |
| Enterprise | T1505.003 | Web Shell Sub-technique | During Operation Wocao, threat actors used their own web shells, as well as those previously placed on target systems by other threat actors, for reconnaissance and lateral movement.CitationFoxIT Wocao December 2019 |
| Enterprise | T1518 | Software Discovery | During Operation Wocao, threat actors collected a list of installed software on the infected system.CitationFoxIT Wocao December 2019 |
| Enterprise | T1680 | Local Storage Discovery | During Operation Wocao, threat actors discovered the local disks attached to the system and their hardware information including manufacturer and model.CitationFoxIT Wocao December 2019 |
| Enterprise | T1105 | Ingress Tool Transfer | During Operation Wocao, threat actors downloaded additional files to the infected system.CitationFoxIT Wocao December 2019 |
| Enterprise | T1078.003 | Local Accounts Sub-technique | During Operation Wocao, threat actors used local account credentials found during the intrusion for lateral movement and privilege escalation.CitationFoxIT Wocao December 2019 |
| Enterprise | T1057 | Process Discovery | During Operation Wocao, the threat actors used `tasklist` to collect a list of running processes on an infected system.CitationFoxIT Wocao December 2019 |
Groups, software, and campaigns
S0104: netstat
S0521: BloodHound
BloodHound is an Active Directory (AD) reconnaissance tool that can reveal hidden relationships and identify attack paths within an AD environment.[1][2][3]
S0002: Mimikatz
S0183: Tor
Tor is a software suite and network that provides increased anonymity on the Internet. It creates a multi-hop proxy network and utilizes multilayer encryption to protect both the message and routing information. Tor utilizes "Onion Routing," in which messages are encrypted with multiple layers of encryption; at each step in the proxy network, the topmost layer is decrypted and the contents forwarded on to the next node until it reaches its destination. [1]
S0645: Wevtutil
S0194: PowerSploit
PowerSploit is an open source, offensive security framework comprised of PowerShell modules and scripts that perform a wide range of tasks related to penetration testing such as code execution, persistence, bypassing anti-virus, recon, and exfiltration. [1] [2] [3]
S0105: dsquery
dsquery is a command-line utility that can be used to query Active Directory for information from a system within a domain. [1] It is typically installed only on Windows Server versions but can be installed on non-server variants through the Microsoft-provided Remote Server Administration Tools bundle.
S0029: PsExec
S0357: Impacket
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | d82019da2797… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
FoxIT Wocao December 2019
Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020.
Open source URL -
[2]
mitre-attack C0014Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.