Poseidon Group
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. [1]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1036 | .005 | 伪装: Match Legitimate Name or Location |
Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.[1] |
| Enterprise | T1059 | .001 | 命令与脚本解释器: PowerShell |
The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.[1] |
| Enterprise | T1003 | 操作系统凭证转储 |
Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.[1] |
|
| Enterprise | T1007 | 系统服务发现 |
After compromising a victim, Poseidon Group discovers all running services.[1] |
|
| Enterprise | T1049 | 系统网络连接发现 |
Poseidon Group obtains and saves information about victim network interfaces and addresses.[1] |
|
| Enterprise | T1087 | .001 | 账号发现: Local Account |
Poseidon Group searches for administrator accounts on both the local victim machine and the network.[1] |
| .002 | 账号发现: Domain Account |
Poseidon Group searches for administrator accounts on both the local victim machine and the network.[1] |
||
| Enterprise | T1057 | 进程发现 |
After compromising a victim, Poseidon Group lists all running processes.[1] |
|