Night Dragon

Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China. [1]

ID: G0014
Version: 1.4
Created: 31 May 2017
Last Modified: 12 October 2021

Techniques Used

Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

Night Dragon has used HTTP for C2.[1]

Enterprise T1074 .002 Data Staged: Remote Data Staging

Night Dragon has copied files to company web servers and subsequently downloaded them.[1]

Enterprise T1587 .001 Develop Capabilities: Malware

Night Dragon used privately developed and customized remote access tools.[1]

Enterprise T1190 Exploit Public-Facing Application

Night Dragon has performed SQL injection attacks of extranet web servers to gain access.[1]

Enterprise T1133 External Remote Services

Night Dragon has used compromised VPN accounts to gain access to victim systems.[1]

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victim’s machines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.[1]

Enterprise T1027 Obfuscated Files or Information

A Night Dragon DLL included an XOR-encoded section.[1]

.002 Software Packing

Night Dragon is known to use software packing in its tools.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

Night Dragon has obtained and used tools such as gsecdump.[1]

Enterprise T1003 .002 OS Credential Dumping: Security Account Manager

Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.[1]

Enterprise T1566 .002 Phishing: Spearphishing Link

Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.[1]

Enterprise T1219 Remote Access Software

Night Dragon has used several remote administration tools as persistent infiltration channels.[1]

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

Night Dragon used pass-the-hash tools to gain usernames and passwords.[1]

Enterprise T1204 .001 User Execution: Malicious Link

Night Dragon enticed users to click on links in spearphishing emails to download malware.[1]

Enterprise T1078 Valid Accounts

Night Dragon has used compromised VPN accounts to gain access to victim systems.[1]


ID Name References Techniques
S0073 ASPXSpy [1] Server Software Component: Web Shell
S0110 at [1] Scheduled Task/Job: At
S0008 gsecdump [1] OS Credential Dumping: Security Account Manager, OS Credential Dumping: LSA Secrets
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution
S0350 zwShell [1] Command and Scripting Interpreter: Windows Command Shell, Create or Modify System Process: Windows Service, File and Directory Discovery, Indicator Removal on Host: File Deletion, Modify Registry, Remote Services: SMB/Windows Admin Shares, Remote Services: Remote Desktop Protocol, Scheduled Task/Job: Scheduled Task, System Information Discovery, System Network Configuration Discovery, System Owner/User Discovery