AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

Operation Wocao

Operation Wocao is a long-running intrusion case that shows broad enterprise tradecraft across phishing, script execution, credential access, discovery, and exfiltration.

MITRE ATT&CKConfidence: high
T1566.001T1059.001T1003.001T1560.001

How The Activity Unfolds In ATT&CK

Operation Wocao is a classic multi-stage enterprise intrusion. It starts with phishing, uses PowerShell to execute, targets credentials, and prepares collected data for removal.

  1. T1566.001 Spearphishing Attachment. A user-facing lure starts the chain.
  2. T1059.001 PowerShell. Script execution gives flexible post-compromise control.
  3. T1003.001 LSASS Memory. Credential dumping enables privilege and movement.
  4. T1560.001 Archive Via Utility. Data is staged for exfiltration.

Defender Readout

This activity remains useful because it connects common enterprise techniques into a realistic intrusion path that detection teams can map end to end.

Evidence And Mapping Rationale

T1566.001Spearphishing Attachment
Spearphishing Attachment

MITRE maps the operation to spearphishing attachments for initial access.

T1059.001PowerShell
PowerShell

MITRE maps PowerShell execution in the operation.

T1003.001LSASS Memory
LSASS Memory

MITRE maps LSASS credential dumping to the operation.

T1560.001Archive via Utility
Archive via Utility

MITRE maps archiving with utilities before data movement.