Skip to content

G0014 Night Dragon

Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. 1

Item Value
ID G0014
Associated Names
Version 1.4
Created 31 May 2017
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols Night Dragon has used HTTP for C2.1
enterprise T1074 Data Staged -
enterprise T1074.002 Remote Data Staging Night Dragon has copied files to company web servers and subsequently downloaded them.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Night Dragon used privately developed and customized remote access tools.1
enterprise T1190 Exploit Public-Facing Application Night Dragon has performed SQL injection attacks of extranet web servers to gain access.1
enterprise T1133 External Remote Services Night Dragon has used compromised VPN accounts to gain access to victim systems.1
enterprise T1562 Impair Defenses -
enterprise T1562.001 Disable or Modify Tools Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.1
enterprise T1027 Obfuscated Files or Information A Night Dragon DLL included an XOR-encoded section.1
enterprise T1027.002 Software Packing Night Dragon is known to use software packing in its tools.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Night Dragon has obtained and used tools such as gsecdump.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.1
enterprise T1566 Phishing -
enterprise T1566.002 Spearphishing Link Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.1
enterprise T1219 Remote Access Software Night Dragon has used several remote administration tools as persistent infiltration channels.1
enterprise T1550 Use Alternate Authentication Material -
enterprise T1550.002 Pass the Hash Night Dragon used pass-the-hash tools to gain usernames and passwords.1
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Night Dragon enticed users to click on links in spearphishing emails to download malware.1
enterprise T1078 Valid Accounts Night Dragon has used compromised VPN accounts to gain access to victim systems.1

Software

ID Name References Techniques
S0073 ASPXSpy 1 Web Shell:Server Software Component
S0110 at - At:Scheduled Task/Job
S0008 gsecdump - LSA Secrets:OS Credential Dumping Security Account Manager:OS Credential Dumping
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0350 zwShell - Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process File and Directory Discovery File Deletion:Indicator Removal on Host Modify Registry Remote Desktop Protocol:Remote Services SMB/Windows Admin Shares:Remote Services Scheduled Task:Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Owner/User Discovery

References

Back to top