![]() ĭragonfly has exploited a Windows Netlogon vulnerability (CVE-2020-1472) to obtain access to Windows Active Directory servers. ĭragonfly has exploited CVE-2011-0611 in Adobe Flash Player to gain execution on a targeted system. ĭragonfly has conducted SQL injection attacks, exploited vulnerabilities CVE-2019-19781 and CVE-2020-0688 for Citrix and MS Exchange, and CVE-2018-13379 for Fortinet VPNs. Įmail Collection: Remote Email Collectionĭragonfly has accessed email accounts using Outlook Web Access. ![]() ĭragonfly has compromised targets via strategic web compromise (SWC) utilizing a custom exploit kit. ĭragonfly has created a directory named "out" in the user's %AppData% folder and copied files to it. ĭragonfly has collected data from local victim systems. ĭragonfly has created accounts on victims, including administrator accounts, some of which appeared to be tailored to each individual staging target. ĭragonfly has compromised legitimate websites to host C2 and malware modules. The group was observed installing Python 2.7 on a victim. ĭragonfly has used various types of scripting to perform operations, including Python scripts. ĭragonfly has used various types of scripting to perform operations, including batch scripts. ĭragonfly has used PowerShell scripts for execution. ĭragonfly has used the command line for execution. ĭragonfly has dropped and executed tools used for password cracking, including Hydra and CrackMapExec. ĭragonfly has attempted to brute force credentials to gain access. īoot or Logon Autostart Execution: Registry Run Keys / Startup Folderĭragonfly has added the registry value ntdll to the Registry Run key to establish persistence. ĭragonfly has scanned targeted systems for vulnerable Citrix and Microsoft Exchange services. Īcquire Infrastructure: Virtual Private Serverĭragonfly has acquired VPS infrastructure for use in malicious campaigns. ĭragonfly has registered domains for targeting intended victims. ĭragonfly has added newly created accounts to the administrators group to maintain elevated access. Enterprise Layer download view Techniques Used Domainĭragonfly has used batch scripts to enumerate users on a victim domain controller.
0 Comments
Leave a Reply. |