{"description": "Enterprise techniques used by Night Dragon, ATT&CK campaign C0002 (v1.1)", "name": "Night Dragon (C0002)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.004", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors purchased hosted services to use for C2.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used HTTP for C2.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1110", "showSubtechniques": true}, {"techniqueID": "T1110.002", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used Cain & Abel to crack password hashes.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used [zwShell](https://attack.mitre.org/software/S0350) to establish full remote control of the connected machine and run command-line shells.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1584", "showSubtechniques": true}, {"techniqueID": "T1584.004", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors compromised web servers to use for C2.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), the threat actors collected files and other data from compromised systems.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.002", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors copied files to company web servers and subsequently downloaded them.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1685", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors disabled anti-virus and anti-spyware tools in some instances on the victim\u2019s machines. The actors also disabled proxy settings to allow direct communication from victims to the Internet.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1568", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used dynamic DNS services for C2.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1114", "showSubtechniques": true}, {"techniqueID": "T1114.001", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used RAT malware to exfiltrate email archives.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used SQL injection exploits against extranet web servers to gain access.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used compromised VPN accounts to gain access to victim systems.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1008", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used company extranet servers as secondary C2 servers.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used [zwShell](https://attack.mitre.org/software/S0350) to establish full remote control of the connected machine and browse the victim file system.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1105", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used administrative utilities to deliver Trojan components to remote systems.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1112", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used [zwShell](https://attack.mitre.org/software/S0350) to establish full remote control of the connected machine and manipulate the Registry.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used software packing in its tools.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used a DLL that included an XOR-encoded section.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.001", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used Trojans from underground hacker websites.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors obtained and used tools such as [gsecdump](https://attack.mitre.org/software/S0008).(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.002", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors dumped account hashes using [gsecdump](https://attack.mitre.org/software/S0008).(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.002", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors sent spearphishing emails containing links to compromised websites where malware was downloaded.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used several remote administration tools as persistent infiltration channels.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors uploaded commonly available hacker tools to compromised web servers.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used password cracking and pass-the-hash tools to discover usernames and passwords.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1550", "showSubtechniques": true}, {"techniqueID": "T1550.002", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used pass-the-hash tools to obtain authenticated access to sensitive internal desktops and servers.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors enticed users to click on links in spearphishing emails to download malware.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used compromised VPN accounts to gain access to victim systems.(Citation: McAfee Night Dragon)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1078.002", "comment": "During [Night Dragon](https://attack.mitre.org/campaigns/C0002), threat actors used domain accounts to gain further access to victim systems.(Citation: McAfee Night Dragon)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Night Dragon", "color": "#66b1ff"}]}