Operation Wocao Activity - Security

calendar Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.discovery attack.t1012 attack.defense-evasion attack.t1036.004 attack.t1027 attack.execution attack.t1053.005 attack.t1059.001 detection.emerging-threats  ·
Share on: linkedin copy

Detects activity mentioned in Operation Wocao report

Sigma rule (View on GitHub)

 1title: Operation Wocao Activity - Security
 2id: 74ad4314-482e-4c3e-b237-3f7ed3b9ca8d
 3status: test
 4description: Detects activity mentioned in Operation Wocao report
 5references:
 6    - https://web.archive.org/web/20200226212615/https://www.fox-it.com/en/news/whitepapers/operation-wocao-shining-a-light-on-one-of-chinas-hidden-hacking-groups/
 7    - https://web.archive.org/web/20200226212615/https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf
 8    - https://twitter.com/SBousseaden/status/1207671369963646976
 9author: Florian Roth (Nextron Systems), frack113
10date: 2019-12-20
11modified: 2022-11-27
12tags:
13    - attack.privilege-escalation
14    - attack.persistence
15    - attack.discovery
16    - attack.t1012
17    - attack.defense-evasion
18    - attack.t1036.004
19    - attack.t1027
20    - attack.execution
21    - attack.t1053.005
22    - attack.t1059.001
23    - detection.emerging-threats
24logsource:
25    product: windows
26    service: security
27detection:
28    selection:
29        EventID: 4799
30        TargetUserName|startswith: 'Administr'
31        CallerProcessName|endswith: '\checkadmin.exe'
32    condition: selection
33falsepositives:
34    - Administrators that use checkadmin.exe tool to enumerate local administrators
35level: high

References

  • Operation Wocao: Shining a light on one of China’s hidden hacking groups - Fox-IT

    Operation Wocao (我�, “Wǒ cāo�, used as “shit� or “damn�) is the name that Fox-IT uses to describe the hacking activities of a Chinese based hacking group. This report details the...


    Read More

  • Wayback Machine

    COLLECTED BY This is a Collection of URLs (and Outlinked URLs) extracted from a random feed of 1% of all Tweets. TIMESTAMPS The Wayback Machine - https://web.archive.org/web/20200215212348/https://...


    Read More

  • Something went wrong, but don’t fret — let’s give it another shot. Some privacy related extensions may cause issues on x.com. Please disable them and try again.


    Read More

Related rules

to-top