{"description": "Enterprise techniques used by ShadowRay, ATT&CK campaign C0045 (v1.0)", "name": "ShadowRay (C0045)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.006", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors used the Python `pty` module to open reverse shells.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1546", "showSubtechniques": true}, {"techniqueID": "T1546.004", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors executed commands on interactive and reverse shells.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors exploited CVE-2023-48022 on publicly exposed Ray servers to steal computing power and to expose sensitive data.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors downloaded a privilege escalation payload to gain root access.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors downloaded and executed the XMRig miner on targeted hosts.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors used Base64-encrypted Python code to evade detection.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors used tools including the XMRig miner and Interactsh.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.008", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors used `cat /etc/shadow` to steal password hashes.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1496", "showSubtechniques": true}, {"techniqueID": "T1496.001", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors leveraged graphics processing units (GPU) on compromised nodes for cryptocurrency mining.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1016", "comment": "During [ShadowRay](https://attack.mitre.org/campaigns/C0045), threat actors invoked DNS queries from targeted machines to identify their IP addresses.(Citation: Oligo ShadowRay Campaign MAR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by ShadowRay", "color": "#66b1ff"}]}