Skip to content

G0074 Dragonfly 2.0

Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least December 2015. 1 2 There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. 34

Item Value
ID G0074
Associated Names IRON LIBERTY, DYMALLOY, Berserk Bear
Version 2.1
Created 17 October 2018
Last Modified 14 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
IRON LIBERTY 56
DYMALLOY 4
Berserk Bear 3

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.002 Domain Account Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.1
enterprise T1098 Account Manipulation Dragonfly 2.0 added newly created accounts to the administrators group to maintain elevated access.17
enterprise T1071 Application Layer Protocol Dragonfly 2.0 used SMB for C2.1
enterprise T1560 Archive Collected Data Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it.1
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder Dragonfly 2.0 added the registry value ntdll to the Registry Run key to establish persistence.1
enterprise T1547.009 Shortcut Modification Dragonfly 2.0 manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.1
enterprise T1110 Brute Force -
enterprise T1110.002 Password Cracking Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra and CrackMapExec.178
enterprise T1059 Command and Scripting Interpreter Dragonfly 2.0 used command line for execution.1
enterprise T1059.001 PowerShell Dragonfly 2.0 used PowerShell scripts for execution.127
enterprise T1059.003 Windows Command Shell Dragonfly 2.0 used various types of scripting to perform operations, including batch scripts.17
enterprise T1059.006 Python Dragonfly 2.0 used various types of scripting to perform operations, including Python scripts. The group was observed installing Python 2.7 on a victim.17
enterprise T1136 Create Account -
enterprise T1136.001 Local Account Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target.17
enterprise T1005 Data from Local System Dragonfly 2.0 collected data from local victim systems.1
enterprise T1074 Data Staged -
enterprise T1074.001 Local Data Staging Dragonfly 2.0 created a directory named “out” in the user’s %AppData% folder and copied files to it.1
enterprise T1189 Drive-by Compromise Dragonfly 2.0 compromised legitimate organizations’ websites to create watering holes to compromise victims.1
enterprise T1114 Email Collection -
enterprise T1114.002 Remote Email Collection Dragonfly 2.0 accessed email accounts using Outlook Web Access.7
enterprise T1133 External Remote Services Dragonfly 2.0 used VPNs and Outlook Web Access (OWA) to maintain access to victim networks.17
enterprise T1083 File and Directory Discovery Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts.1
enterprise T1187 Forced Authentication Dragonfly 2.0 has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems.17
enterprise T1564 Hide Artifacts -
enterprise T1564.002 Hidden Users Dragonfly 2.0 modified the Registry to hide create user accounts. 1
enterprise T1562 Impair Defenses -
enterprise T1562.004 Disable or Modify System Firewall Dragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389.17
enterprise T1070 Indicator Removal on Host -
enterprise T1070.001 Clear Windows Event Logs Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys.17
enterprise T1070.004 File Deletion Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots.17
enterprise T1105 Ingress Tool Transfer Dragonfly 2.0 copied and installed tools for operations once in the victim environment.17
enterprise T1036 Masquerading Dragonfly 2.0 created accounts disguised as legitimate backup and service accounts as well as an email administration account.17
enterprise T1112 Modify Registry Dragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg.1
enterprise T1135 Network Share Discovery Dragonfly 2.0 identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems.17
enterprise T1003 OS Credential Dumping -
enterprise T1003.002 Security Account Manager Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.17
enterprise T1003.003 NTDS Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers. 179
enterprise T1003.004 LSA Secrets Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.179
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.1
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.17
enterprise T1566.002 Spearphishing Link Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.1
enterprise T1012 Query Registry Dragonfly 2.0 queried the Registry to identify victim information.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol Dragonfly 2.0 moved laterally via RDP.17
enterprise T1018 Remote System Discovery Dragonfly 2.0 likely obtained a list of hosts in the victim environment.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.17
enterprise T1113 Screen Capture Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil).12
enterprise T1505 Server Software Component -
enterprise T1505.003 Web Shell Dragonfly 2.0 commonly created Web shells on victims’ publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files.17
enterprise T1016 System Network Configuration Discovery Dragonfly 2.0 used batch scripts to enumerate network information, including information about trusts, zones, and the domain.1
enterprise T1033 System Owner/User Discovery Dragonfly 2.0 used the command query user on victim hosts.1
enterprise T1221 Template Injection Dragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication.17
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links.17
enterprise T1204.002 Malicious File Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open attachments.17
enterprise T1078 Valid Accounts Dragonfly 2.0 compromised user credentials and used valid accounts for operations.1

Software

ID Name References Techniques
S0488 CrackMapExec 1 Domain Account:Account Discovery Password Guessing:Brute Force Brute Force Password Spraying:Brute Force PowerShell:Command and Scripting Interpreter File and Directory Discovery Modify Registry Network Share Discovery NTDS:OS Credential Dumping LSA Secrets:OS Credential Dumping Security Account Manager:OS Credential Dumping Password Policy Discovery Domain Groups:Permission Groups Discovery Remote System Discovery At (Windows):Scheduled Task/Job System Information Discovery System Network Configuration Discovery System Network Connections Discovery Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0357 Impacket - LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Network Sniffing Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping NTDS:OS Credential Dumping LSA Secrets:OS Credential Dumping Kerberoasting:Steal or Forge Kerberos Tickets Service Execution:System Services Windows Management Instrumentation
S0500 MCMD - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Data from Local System Hidden Window:Hide Artifacts Indicator Removal on Host Ingress Tool Transfer Match Legitimate Name or Location:Masquerading Obfuscated Files or Information Scheduled Task:Scheduled Task/Job
S0039 Net - Local Account:Account Discovery Domain Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal on Host Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0108 netsh - Netsh Helper DLL:Event Triggered Execution Disable or Modify System Firewall:Impair Defenses Proxy Security Software Discovery:Software Discovery
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0075 Reg - Modify Registry Query Registry Credentials in Registry:Unsecured Credentials
S0094 Trojan.Karagany - Web Protocols:Application Layer Protocol Application Window Discovery Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Credentials from Web Browsers:Credentials from Password Stores Local Data Staging:Data Staged Asymmetric Cryptography:Encrypted Channel File and Directory Discovery File Deletion:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Software Packing:Obfuscated Files or Information Obfuscated Files or Information OS Credential Dumping Process Discovery Thread Execution Hijacking:Process Injection Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery System Checks:Virtualization/Sandbox Evasion

References

Back to top