Night Dragon is a campaign name for activity involving a threat group that has conducted activity originating primarily in China.
Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.
Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.
|ATT&CK Technique||Opportunity Space||AD Technique||Use Case|
|T1003 - OS Credential Dumping||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.||DTE0012 - Decoy Credentials||A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.|
|T1027 - Obfuscated Files or Information||In an adversary engagement scenario, there is an opportunity to introduce decoy systems that can influence an adversary's behavior or allow you to observe how they perform a specific task.||DTE0017 - Decoy System||A defender could implement a decoy system to study how and when an adversary obfuscate files and hides information.|
|T1071 - Application Layer Protocol||There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary.||DTE0027 - Network Monitoring||The defender can implement network monitoring for and alert on anomalous traffic patterns, large or unexpected data transfers, and other activity that may reveal the presence of an adversary.|
|T1074 - Data Staged||In an adversary engagement scenario, there is an opportunity to seed content to influence an adversary's behaviors, test their interest in specific topics, or add legitimacy to a system or environment.||DTE0030 - Pocket Litter||A defender can stage a variety of pocket litter files with known hashes around a system. Detections can be put in place if these hashes are seen moving around a system or out of the network.|
|T1078 - Valid Accounts||There is an opportunity to introduce user accounts that are used to make a system look more realistic.||DTE0010 - Decoy Account||A defender can create decoy user accounts which are used to make a decoy system or network look more realistic.|
|T1078 - Valid Accounts||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.||DTE0012 - Decoy Credentials||A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.|
|T1078 - Valid Accounts||There is an opportunity to prepare user accounts so they look used and authentic.||DTE0008 - Burn-In||A defender can prepare a Decoy System by logging in to the Decoy Account and using it in ways consistent with the deception story, creating artifacts in the system that make it look legitimate.|
|T1133 - External Remote Services||There is an opportunity to determine if an adversary already has valid account credentials for your network and if they are trying to use them access your network via remote services.||DTE0017 - Decoy System||A defender can setup a decoy VPN server and see if an adversary attempts to use valid account to authenticate to it.|
|T1190 - Exploit Public-Facing Application||There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique.||DTE0017 - Decoy System||A defender can use decoy system running a public-facing application to see if an adversary attempts to compromise the system and learn their TTPs.|
|T1190 - Exploit Public-Facing Application||There is an opportunity to present several public-facing application options to see what application(s) the adversary targets.||DTE0013 - Decoy Diversity||A defender can use a diverse set of decoy systems to study an adversary and determine which types of public-facing applications they choose to exploit.|
|T1204 - User Execution||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0018 - Detonate Malware||A defender can execute adversary malware on a decoy system and examine its behaviors or potentially engage with the adversary to obtain further intelligence.|
|T1219 - Remote Access Software||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0017 - Decoy System||A defender can install remote access tools on decoy systems across the network to see if the adversary uses these tools for command and control.|
|T1550 - Use Alternate Authentication Material||There is an opportunity to detect the presence of an adversary by identifying and alerting on anomalous behaviors.||DTE0007 - Behavioral Analytics||Defenders can look for anomalies in where an account is authenticating and what it is authenticating to in order to detect potentially malicious intent.|
|T1562 - Impair Defenses||There is an opportunity to study the adversary and collect first-hand observations about them and their tools.||DTE0004 - Application Diversity||A defender can plant AV or monitoring tools which are easy for an adversary to remove. If an adversary removes these, they may be enticed to act more openly believing they have removed monitoring from the system.|
|T1562 - Impair Defenses||There is an opportunity to create a detection with a moderately high probability of success.||DTE0034 - System Activity Monitoring||A defender can monitor for signs that security tools and other controls are being tampered with by an adversary.|
|T1562 - Impair Defenses||There is an opportunity to create a detection with a moderately high probability of success.||DTE0033 - Standard Operating Procedure||A defender can define operating procedures for modifying GPOs and alert when they are not followed.|
|T1566 - Phishing||A phishing email can be detected and blocked from arriving at the intended recipient.||DTE0019 - Email Manipulation||A defender can intercept emails that are detected as suspicious or malicious by email detection tools and prevent deliver to the intended target.|
|T1566 - Phishing||A phishing email can be detected and moved from the intended recipient to a decoy account for reading and execution.||DTE0023 - Migrate Attack Vector||A defender can move suspicious emails to a decoy system prior to opening and examining the email.|
|T1566 - Phishing||Users trained and encouraged to report phishing can detect attacks that other defenses do not.||DTE0035 - User Training||A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.|
|T1566 - Phishing||There is an opportunity to discover who or what is being targeting by an adversary.||DTE0015 - Decoy Persona||A defender can seed information about the decoy persona's personal accounts on systems to see if the adversary collects and uses that information in future activity.|