Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [1]

ID: G0028
Associated Groups: TG-1314
Version: 1.1
Created: 31 May 2017
Last Modified: 19 March 2020

Associated Group Descriptions

Name Description
TG-1314

[1]

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Threat Group-1314 actors mapped network drives using net use.[1]

Enterprise T1072 Software Deployment Tools

Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.[1]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.[1]

Software

References