{"description": "Enterprise techniques used by Operation MidnightEclipse, ATT&CK campaign C0048 (v1.0)", "name": "Operation MidnightEclipse (C0048)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors used `wget` via HTTP to retrieve payloads.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors piped output from stdout to bash for execution.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.003", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors abused Virtual Private Servers to store malicious files.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584.006", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors abused compromised AWS buckets to store files.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors stole saved cookies and login data from targeted systems.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors copied files to the web application folder on compromised devices for exfiltration.(Citation: Palo Alto MidnightEclipse APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors exploited CVE-2024-3400 in Palo Alto Networks GlobalProtect.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors downloaded additional payloads on compromised devices.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors wrote output to stdout then piped it to bash for execution.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors used the GO Simple Tunnel (GOST) reverse proxy tool.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors obtained active directory credentials via the NTDS.DIT file.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1090", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors used the GO Simple Tunnel reverse proxy tool.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.002", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors used SMB to pivot internally in victim networks.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.006", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors used WinRM to move laterally in targeted networks.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.003", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors configured cron jobs to retrieve payloads from actor-controlled infrastructure.(Citation: Volexity UPSTYLE 2024)(Citation: Palo Alto MidnightEclipse APR 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors extracted sensitive credentials while moving laterally through compromised networks.(Citation: Volexity UPSTYLE 2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "During [Operation MidnightEclipse](https://attack.mitre.org/campaigns/C0048), threat actors used a compromised domain admin account to move laterally.(Citation: Volexity UPSTYLE 2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Operation MidnightEclipse", "color": "#66b1ff"}]}