JUST RELEASED: ATT&CK for Industrial Control Systems

Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [1]

ID: G0028
Associated Groups: TG-1314
Version: 1.0
Created: 31 May 2017
Last Modified: 25 March 2019

Associated Group Descriptions

Name Description
TG-1314 [1]

Techniques Used

Domain ID Name Use
Enterprise T1059 Command-Line Interface

Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[1]

Enterprise T1072 Third-party Software

Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.[1]

Enterprise T1078 Valid Accounts

Threat Group-1314 actors used compromised credentials for the victim's endpoint management platform, Altiris, to move laterally.[1]

Enterprise T1077 Windows Admin Shares

Threat Group-1314 actors mapped network drives using net use.[1]


ID Name References Techniques
S0039 Net [1] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0029 PsExec [1] Service Execution, Windows Admin Shares