Night Dragon
Associated Group Descriptions |
|
| Name | Description |
|---|---|
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Night Dragon has used HTTP for C2.(Citation: McAfee Night Dragon) |
| Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
Night Dragon has copied files to company web servers and subsequently downloaded them.(Citation: McAfee Night Dragon) |
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
Night Dragon used privately developed and customized remote access tools.(Citation: McAfee Night Dragon) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.(Citation: McAfee Night Dragon) |
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.(Citation: McAfee Night Dragon) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Night Dragon is known to use software packing in its tools.(Citation: McAfee Night Dragon) |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.(Citation: McAfee Night Dragon) |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Night Dragon used pass-the-hash tools to gain usernames and passwords.(Citation: McAfee Night Dragon) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Night Dragon enticed users to click on links in spearphishing emails to download malware.(Citation: McAfee Night Dragon) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0110 | at | (Citation: Linux at) (Citation: McAfee Night Dragon) (Citation: TechNet At) | At |
| S0350 | zwShell | (Citation: McAfee Night Dragon) | Scheduled Task, System Owner/User Discovery, Windows Service, System Information Discovery, SMB/Windows Admin Shares, Modify Registry, System Network Configuration Discovery, File and Directory Discovery, Windows Command Shell, File Deletion, Remote Desktop Protocol |
| S0073 | ASPXSpy | (Citation: Dell TG-3390) (Citation: McAfee Night Dragon) | Web Shell |
| S0008 | gsecdump | (Citation: McAfee Night Dragon) (Citation: TrueSec Gsecdump) | Security Account Manager, LSA Secrets |
| S0029 | PsExec | (Citation: McAfee Night Dragon) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) | Windows Service, SMB/Windows Admin Shares, Domain Account, Lateral Tool Transfer, Service Execution |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.