/
Night Dragon_G0014.json
1 lines (1 loc) · 4.12 KB
/
Night Dragon_G0014.json
1
{"description": "Enterprise techniques used by Night Dragon, ATT&CK group G0014 v1.0", "name": "Night Dragon (G0014)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1192", "techniqueName": "Spearphishing Link", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) sent spearphishing emails containing links to compromised websites where malware was downloaded."}, {"score": 1, "techniqueID": "T1190", "techniqueName": "Exploit Public-Facing Application", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has performed SQL injection attacks of extranet web servers to gain access."}, {"score": 1, "techniqueID": "T1075", "techniqueName": "Pass the Hash", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) used pass-the-hash tools to gain usernames and passwords."}, {"score": 1, "techniqueID": "T1071", "techniqueName": "Standard Application Layer Protocol", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has used HTTP for C2."}, {"score": 1, "techniqueID": "T1003", "techniqueName": "Credential Dumping", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has dumped account hashes with [Carbanak](https://attack.mitre.org/groups/G0008) and cracked them with Cain & Abel."}, {"score": 1, "techniqueID": "T1204", "techniqueName": "User Execution", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) enticed users to click on links in spearphishing emails to download malware."}, {"score": 1, "techniqueID": "T1219", "techniqueName": "Remote Access Tools", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has used several remote administration tools as persistent infiltration channels."}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has used ports 25 and 80 for C2 communications."}, {"score": 1, "techniqueID": "T1133", "techniqueName": "External Remote Services", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has used compromised VPN accounts to gain access to victim systems."}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has used compromised VPN accounts to gain access to victim systems."}, {"score": 1, "techniqueID": "T1089", "techniqueName": "Disabling Security Tools", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has disabled anti-virus and anti-spyware tools in some instances on the victim\u2019s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.["}, {"score": 1, "techniqueID": "T1074", "techniqueName": "Data Staged", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) has copied files to company web servers and subsequently downloaded them."}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "A [Night Dragon](https://attack.mitre.org/groups/G0014) DLL included an XOR-encoded section."}, {"score": 1, "techniqueID": "T1045", "techniqueName": "Software Packing", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) is known to use software packing in its tools."}, {"score": 1, "techniqueID": "T1330", "techniqueName": "Acquire and/or use 3rd party software services", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) used third party hosting services in the U.S. in an attempt to hide their operations."}, {"score": 1, "techniqueID": "T1307", "techniqueName": "Acquire and/or use 3rd party infrastructure services", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) used servers in China, the U.S., and the Netherlands in an attempt to hide their operations."}, {"score": 1, "techniqueID": "T1351", "techniqueName": "Remote access tool development", "comment": "[Night Dragon](https://attack.mitre.org/groups/G0014) used privately developed and customized remote access tools."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Night Dragon", "color": "#ff6666"}]}