Dragonfly 2.0 is a suspected Russian group that has targeted government entities and multiple U.S. critical infrastructure sectors since at least March 2016. (Citation: US-CERT TA18-074A) (Citation: Symantec Dragonfly Sept 2017) There is debate over the extent of overlap between Dragonfly 2.0 and Dragonfly, but there is sufficient evidence to lead to these being tracked as two separate groups. (Citation: Fortune Dragonfly 2.0 Sept 2017)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Windows, Office 365 | collection | Email Collection | Dragonfly 2.0 accessed email accounts using Outlook Web Access. | Office 365 trace logs, Mail server, Email gateway, Authentication logs, File monitoring, Process monitoring, Process use of network |
| Windows, Linux, macOS, SaaS | initial-access | Drive-by Compromise | Dragonfly 2.0 compromised legitimate organizations' websites to create watering holes to compromise victims. | Packet capture, Network device logs, Process use of network, Web proxy, Network intrusion detection system, SSL/TLS inspection |
| Windows | execution, persistence, privilege-escalation | Scheduled Task | Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files. | File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | defense-evasion, execution | Scripting | Dragonfly 2.0 used various types of scripting to perform operations, including Python and batch scripts. The group was observed installing Python 2.7 on a victim. | Process monitoring, File monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | File Deletion | Dragonfly 2.0 deleted many of its files used during operations as part of cleanup, including removing applications and deleting screenshots. | File monitoring, Process command-line parameters, Binary file metadata |
| Linux, macOS, Windows | defense-evasion | Masquerading | Dragonfly 2.0 created accounts disguised as legitimate backup and service accounts as well as an email administration account. | File monitoring, Process monitoring, Binary file metadata |
| Linux, macOS, Windows, Office 365, Azure AD | discovery | Permission Groups Discovery | Dragonfly 2.0 used batch scripts to enumerate administrators in the environment. | Azure activity logs, Office 365 account logs, API monitoring, Process monitoring, Process command-line parameters |
| Windows | defense-evasion | Template Injection | Dragonfly 2.0 has injected SMB URLs into malicious Word spearphishing attachments to initiate Forced Authentication. | Anti-virus, Email gateway, Network intrusion detection system, Web logs |
| Linux, macOS, Windows | execution | Command-Line Interface | Dragonfly 2.0 used command line for execution. | Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure AD, Azure, Office 365 | persistence | Create Account | Dragonfly 2.0 created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target. | Office 365 account logs, Azure activity logs, AWS CloudTrail logs, Process monitoring, Process command-line parameters, Authentication logs, Windows event logs |
| Windows, macOS, Linux, Office 365, SaaS | initial-access | Spearphishing Link | Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites. | Packet capture, Web proxy, Email gateway, Detonation chamber, SSL/TLS inspection, DNS records, Mail server |
| Windows | execution | PowerShell | Dragonfly 2.0 used PowerShell scripts for execution. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Windows, Linux, macOS | credential-access | Credential Dumping | Dragonfly 2.0 dropped and executed SecretsDump and CrackMapExec, tools that can dump password hashes. | API monitoring, Process monitoring, PowerShell logs, Process command-line parameters |
| Linux, macOS, Windows, GCP, Azure, AWS | discovery | Remote System Discovery | Dragonfly 2.0 likely obtained a list of hosts in the victim environment. | Network protocol analysis, Process monitoring, Process use of network, Process command-line parameters |
| macOS, Windows, AWS, GCP, Azure | discovery | Network Share Discovery | Dragonfly 2.0 identified and browsed file servers in the victim network, sometimes , viewing files pertaining to ICS or Supervisory Control and Data Acquisition (SCADA) systems. | Process monitoring, Process command-line parameters, Network protocol analysis, Process use of network |
| Linux, macOS, Windows | collection | Screen Capture | Dragonfly 2.0 has performed screen captures of victims, including by using a tool, scr.exe (which matched the hash of ScreenUtil). | API monitoring, Process monitoring, File monitoring |
| Linux, Windows, macOS | execution | User Execution | Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links or attachments. | Anti-virus, Process command-line parameters, Process monitoring |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | Dragonfly 2.0 used SMB for C2. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Linux, macOS, Windows | defense-evasion | Disabling Security Tools | Dragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389. | API monitoring, File monitoring, Services, Windows Registry, Process command-line parameters, Anti-virus |
| Windows | defense-evasion | Modify Registry | Dragonfly 2.0 modified the Registry to perform multiple techniques through the use of Reg. | Windows Registry, File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | discovery | File and Directory Discovery | Dragonfly 2.0 used a batch script to gather folder and file names from victim hosts. | File monitoring, Process monitoring, Process command-line parameters |
| Windows | persistence | Shortcut Modification | Dragonfly 2.0 manipulated .lnk files to gather user credentials in conjunction with Forced Authentication. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | defense-evasion | Indicator Removal on Host | Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used, including system, security, terminal services, remote services, and audit logs. The actors also deleted specific Registry keys. | File monitoring, Process monitoring, Process command-line parameters, API monitoring, Windows event logs |
| Linux, macOS, Windows, Office 365, Azure AD, SaaS | credential-access | Brute Force | Dragonfly 2.0 dropped and executed tools used for password cracking, including Hydra. | Office 365 account logs, Authentication logs |
| Linux, macOS, Windows | discovery | System Network Configuration Discovery | Dragonfly 2.0 used batch scripts to enumerate network information, including information about trusts, zones, and the domain. | Process monitoring, Process command-line parameters |
| Linux, macOS, Windows, AWS, GCP, Azure, SaaS, Office 365 | defense-evasion, persistence, privilege-escalation, initial-access | Valid Accounts | Dragonfly 2.0 compromised user credentials and used valid accounts for operations. | AWS CloudTrail logs, Stackdriver logs, Authentication logs, Process monitoring |
| Windows | persistence | Registry Run Keys / Startup Folder | Dragonfly 2.0 added the registry value ntdll to the Registry Run key to establish persistence. | Windows Registry, File monitoring |
| Linux, Windows, macOS | persistence, privilege-escalation | Web Shell | Dragonfly 2.0 commonly created Web shells on victims' publicly accessible email and web servers, which they used to maintain access to a victim network and download additional malicious files. | Anti-virus, Authentication logs, File monitoring, Netflow/Enclave netflow, Process monitoring |
| Windows | persistence, initial-access | External Remote Services | Dragonfly 2.0 used VPNs and Outlook Web Access (OWA) to maintain access to victim networks. | Authentication logs |
| Windows | lateral-movement | Remote Desktop Protocol | Dragonfly 2.0 moved laterally via RDP. | Authentication logs, Netflow/Enclave netflow, Process monitoring |
| Linux, macOS, Windows, GCP, AWS, Azure | collection | Data from Local System | Dragonfly 2.0 collected data from local victim systems. | File monitoring, Process monitoring, Process command-line parameters |
| Windows | discovery | Query Registry | Dragonfly 2.0 queried the Registry to identify victim information. | Windows Registry, Process monitoring, Process command-line parameters |
| Windows | credential-access | Forced Authentication | Dragonfly 2.0 has gathered hashed user credentials over SMB using spearphishing attachments with external resource links and by modifying .LNK file icon resources to collect credentials from virtualized systems. | File monitoring, Network protocol analysis, Network device logs, Process use of network |
| Linux, macOS, Windows, AWS, GCP, Azure | collection | Data Staged | Dragonfly 2.0 created a directory named "out" in the user's %AppData% folder and copied files to it. | File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control | Commonly Used Port | Dragonfly 2.0 used SMB over ports 445 or 139 for C2. The group also established encrypted connections over port 443. | Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring |
| Linux, macOS, Windows | command-and-control, lateral-movement | Remote File Copy | Dragonfly 2.0 copied and installed tools for operations once in the victim environment. | File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring |
| Windows, macOS, Linux | initial-access | Spearphishing Attachment | Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims. | File monitoring, Packet capture, Network intrusion detection system, Detonation chamber, Email gateway, Mail server |
| Linux, macOS, Windows | discovery | System Owner/User Discovery | Dragonfly 2.0 used the command query user on victim hosts. |
File monitoring, Process monitoring, Process command-line parameters |
| Windows, Office 365, Azure, GCP, Azure AD, AWS | credential-access, persistence | Account Manipulation | Dragonfly 2.0 added newly created accounts to the administrators group to maintain elevated access. | Authentication logs, API monitoring, Windows event logs, Packet capture |
| Linux, macOS, Windows, Office 365, Azure AD | discovery | Account Discovery | Dragonfly 2.0 used batch scripts to enumerate users in the victim environment. | Azure activity logs, Office 365 account logs, API monitoring, Process monitoring, Process command-line parameters |
| Linux, Windows, macOS | exfiltration | Data Compressed | Dragonfly 2.0 compressed data into .zip files prior to exfiltrating it. | Binary file metadata, File monitoring, Process command-line parameters, Process monitoring |