Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)(Citation: Dragos DYMALLOY )
ID: G0074
Associated Groups: DYMALLOY, Berserk Bear, IRON LIBERTY
Version: 2.1
Created: 17 Oct 2018
Last Modified: 11 May 2022

Associated Group Descriptions

Name Description
DYMALLOY (Citation: Dragos DYMALLOY )
Berserk Bear (Citation: Fortune Dragonfly 2.0 Sept 2017)
IRON LIBERTY (Citation: Secureworks MCMD July 2019)(Citation: Secureworks IRON LIBERTY)

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.(Citation: US-CERT TA18-074A)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Dragonfly 2.0 added the registry value ntdll to the Registry Run key to establish persistence.(Citation: US-CERT TA18-074A)

.009 Boot or Logon Autostart Execution: Shortcut Modification

Dragonfly 2.0 manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.(Citation: US-CERT TA18-074A)

Enterprise T1110 .002 Brute Force: Password Cracking

Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Kali Hydra)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

Dragonfly 2.0 used PowerShell scripts for execution.(Citation: US-CERT TA18-074A)(Citation: Symantec Dragonfly Sept 2017)(Citation: US-CERT APT Energy Oct 2017)

.003 Command and Scripting Interpreter: Windows Command Shell

Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

.006 Command and Scripting Interpreter: Python

Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Enterprise T1136 .001 Create Account: Local Account

Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Enterprise T1074 .001 Data Staged: Local Data Staging

Dragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it.(Citation: US-CERT TA18-074A)

Enterprise T1114 .002 Email Collection: Remote Email Collection

Dragonfly 2.0 accessed email accounts using Outlook Web Access.(Citation: US-CERT APT Energy Oct 2017)

Enterprise T1562 .004 Impair Defenses: Disable or Modify System Firewall

Dragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

.004 Indicator Removal: File Deletion

Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

.003 OS Credential Dumping: NTDS

Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers. (Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Core Security Impacket)

.004 OS Credential Dumping: LSA Secrets

Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)(Citation: Core Security Impacket)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.(Citation: US-CERT TA18-074A)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

.002 Phishing: Spearphishing Link

Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.(Citation: US-CERT TA18-074A)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

Dragonfly 2.0 moved laterally via RDP.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Enterprise T1505 .003 Server Software Component: Web Shell

Dragonfly 2.0 commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Enterprise T1204 .001 User Execution: Malicious Link

Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

.002 User Execution: Malicious File

Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open attachments.(Citation: US-CERT TA18-074A)(Citation: US-CERT APT Energy Oct 2017)

Software

ID Name References Techniques
S0039 Net (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: US-CERT TA18-074A) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0357 Impacket (Citation: Core Security Impacket) (Citation: Impacket Tools) (Citation: US-CERT APT Energy Oct 2017) (Citation: US-CERT TA18-074A) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S0108 netsh (Citation: TechNet Netsh) (Citation: US-CERT TA18-074A) Disable or Modify System Firewall, Netsh Helper DLL, Proxy, Security Software Discovery
S0094 Trojan.Karagany (Citation: Dragos DYMALLOY ) (Citation: Karagany) (Citation: Secureworks Karagany July 2019) (Citation: Symantec Dragonfly Sept 2017) (Citation: Symantec Dragonfly) (Citation: xFrost) System Owner/User Discovery, Screen Capture, System Network Connections Discovery, Application Window Discovery, Obfuscated Files or Information, Software Packing, Credentials from Web Browsers, Process Discovery, Registry Run Keys / Startup Folder, System Information Discovery, File Deletion, Ingress Tool Transfer, Keylogging, File and Directory Discovery, Local Data Staging, Thread Execution Hijacking, Asymmetric Cryptography, System Checks, OS Credential Dumping, System Network Configuration Discovery, Windows Command Shell, Web Protocols
S0500 MCMD (Citation: Secureworks MCMD July 2019) Indicator Removal, Clear Persistence, Windows Command Shell, Hidden Window, Web Protocols, Match Legitimate Name or Location, Obfuscated Files or Information, Scheduled Task, Data from Local System, Ingress Tool Transfer, Registry Run Keys / Startup Folder
S0488 CrackMapExec (Citation: CME Github September 2018) (Citation: US-CERT TA18-074A) Security Account Manager, NTDS, Password Spraying, Password Policy Discovery, Domain Account, System Network Connections Discovery, Password Guessing, At, Network Share Discovery, Remote System Discovery, LSA Secrets, Windows Management Instrumentation, Modify Registry, File and Directory Discovery, Pass the Hash, System Information Discovery, Domain Groups, PowerShell, System Network Configuration Discovery, Brute Force
S0075 Reg (Citation: Microsoft Reg) (Citation: US-CERT TA18-074A) (Citation: Windows Commands JPCERT) Credentials in Registry, Query Registry, Modify Registry
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Dragonfly Sept 2017) (Citation: US-CERT TA18-074A) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account