AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

Operation Digital Eye

Operation Digital Eye highlighted intrusion activity against technology and business services, combining infrastructure preparation, command execution, credential access, and data movement.

MITRE ATT&CKConfidence: high
T1583.004T1059.005T1003.001T1041

How The Activity Unfolds In ATT&CK

Operation Digital Eye is a useful modern intrusion chain: infrastructure preparation supports operations, scripting enables execution, credentials expand access, and exfiltration completes the objective.

  1. T1583.004 Server. Infrastructure is prepared before or during operations.
  2. T1059.005 Visual Basic. Script execution provides a flexible command path.
  3. T1003.001 LSASS Memory. Credential access supports privilege and movement.
  4. T1041 Exfiltration Over C2 Channel. Data exits through actor-controlled channels.

Defender Readout

This activity is useful for mapping infrastructure, execution, credential, and exfiltration telemetry across one intrusion story.

Evidence And Mapping Rationale

T1583.004Server
Server

MITRE maps the campaign to acquiring or preparing server infrastructure.

T1059.005Visual Basic
Visual Basic

MITRE maps command and scripting activity through Visual Basic.

T1003.001LSASS Memory
LSASS Memory

MITRE maps credential dumping from LSASS memory to the campaign.

T1041Exfiltration Over C2 Channel
Exfiltration Over C2 Channel

MITRE maps data exfiltration through command-and-control channels.