1. Home
  2. Groups
  3. Thrip

Thrip

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [1]

ID: G0076
Version: 1.2
Created: 17 October 2018
Last Modified: 12 October 2021
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1059 .001 命令与脚本解释器: PowerShell

Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[1]
Enterprise T1048 .003 替代协议渗出: Exfiltration Over Unencrypted Non-C2 Protocol

Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.[1]
Enterprise T1588 .002 获取能力: Tool

Thrip has obtained and used tools such as Mimikatz and PsExec.[1]
Enterprise T1219 远程访问软件

Thrip used a cloud-based remote access software called LogMeIn for their attacks.[1]

Software

ID Name References Techniques
S0261 Catchamas [1] 伪装: Masquerade Task or Service, 修改注册表, 创建或修改系统进程: Windows Service, 剪贴板数据, 屏幕捕获, 应用窗口发现, 数据分段: Local Data Staging, 系统网络配置发现, 输入捕获: Keylogging
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0029 PsExec Thrip used PsExec to move laterally between computers on the victim’s network.[1] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares

References

  1. Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.