Night Dragon
Associated Group Descriptions |
|
| Name | Description |
|---|---|
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
Night Dragon has used HTTP for C2.(Citation: McAfee Night Dragon) |
| Enterprise | T1074 | .002 | Data Staged: Remote Data Staging |
Night Dragon has copied files to company web servers and subsequently downloaded them.(Citation: McAfee Night Dragon) |
| Enterprise | T1587 | .001 | Develop Capabilities: Malware |
Night Dragon used privately developed and customized remote access tools.(Citation: McAfee Night Dragon) |
| Enterprise | T1562 | .001 | Impair Defenses: Disable or Modify Tools |
Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.(Citation: McAfee Night Dragon) |
| Enterprise | T1003 | .002 | OS Credential Dumping: Security Account Manager |
Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.(Citation: McAfee Night Dragon) |
| Enterprise | T1027 | .002 | Obfuscated Files or Information: Software Packing |
Night Dragon is known to use software packing in its tools.(Citation: McAfee Night Dragon) |
| Enterprise | T1566 | .002 | Phishing: Spearphishing Link |
Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.(Citation: McAfee Night Dragon) |
| Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
Night Dragon used pass-the-hash tools to gain usernames and passwords.(Citation: McAfee Night Dragon) |
| Enterprise | T1204 | .001 | User Execution: Malicious Link |
Night Dragon enticed users to click on links in spearphishing emails to download malware.(Citation: McAfee Night Dragon) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0110 | at | (Citation: Linux at) (Citation: McAfee Night Dragon) (Citation: TechNet At) | At |
| S0350 | zwShell | (Citation: McAfee Night Dragon) | Remote Desktop Protocol, SMB/Windows Admin Shares, Scheduled Task, Windows Service, File and Directory Discovery, File Deletion, System Information Discovery, System Network Configuration Discovery, Modify Registry, System Owner/User Discovery, Windows Command Shell |
| S0073 | ASPXSpy | (Citation: Dell TG-3390) (Citation: McAfee Night Dragon) | Web Shell |
| S0008 | gsecdump | (Citation: McAfee Night Dragon) (Citation: TrueSec Gsecdump) | Security Account Manager, LSA Secrets |
| S0029 | PsExec | (Citation: McAfee Night Dragon) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) | SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account |
References
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
- McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.