Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [1]

ID: G0028
Associated Groups: TG-1314
Version: 1.0

Associated Group Descriptions

Name Description
TG-1314 [1]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[1]
Enterprise T1072 Third-party Software Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.[1]
Enterprise T1078 Valid Accounts Threat Group-1314 actors used compromised credentials for the victim's endpoint management platform, Altiris, to move laterally.[1]
Enterprise T1077 Windows Admin Shares Threat Group-1314 actors mapped network drives using net use.[1]

Software

ID Name References Techniques
S0039 Net [1] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0029 PsExec [1] Service Execution, Windows Admin Shares

References