Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [1]

ID: G0028
Aliases: Threat Group-1314, TG-1314
Version: 1.0

Alias Descriptions

NameDescription
Threat Group-1314[1]
TG-1314[1]

Techniques Used

DomainIDNameUse
EnterpriseT1059Command-Line InterfaceThreat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[1]
EnterpriseT1072Third-party SoftwareThreat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.[1]
EnterpriseT1078Valid AccountsThreat Group-1314 actors used compromised credentials for the victim's endpoint management platform, Altiris, to move laterally.[1]
EnterpriseT1077Windows Admin SharesThreat Group-1314 actors mapped network drives using net use.[1]

Software

IDNameTechniques
S0039NetAccount Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0029PsExecService Execution, Windows Admin Shares

References