Threat Group-1314
Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [1]
ID: G0028
ⓘ
Associated Groups: TG-1314
Version: 1.1
Created: 31 May 2017
Last Modified: 19 March 2020
Associated Group Descriptions
| Name | Description |
|---|---|
| TG-1314 |
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | 命令与脚本解释器: Windows Command Shell |
Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[1] |
| Enterprise | T1078 | .002 | 有效账户: Domain Accounts |
Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.[1] |
| Enterprise | T1072 | 软件部署工具 |
Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.[1] |
|
| Enterprise | T1021 | .002 | 远程服务: SMB/Windows Admin Shares |
Threat Group-1314 actors mapped network drives using |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0039 | Net | [1] | 创建账户: Local Account, 创建账户: Domain Account, 密码策略发现, 权限组发现: Domain Groups, 权限组发现: Local Groups, 移除指标: Network Share Connection Removal, 系统时间发现, 系统服务: Service Execution, 系统服务发现, 系统网络连接发现, 网络共享发现, 账号发现: Domain Account, 账号发现: Local Account, 账号操控: Additional Local or Domain Groups, 远程服务: SMB/Windows Admin Shares, 远程系统发现 |
| S0029 | PsExec | [1] | 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares |