Thrip

Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [1]

ID: G0076
Aliases: Thrip
Version: 1.0

Alias Descriptions

NameDescription
Thrip[1]

Techniques Used

DomainIDNameUse
EnterpriseT1048Exfiltration Over Alternative ProtocolThrip has used WinSCP to exfiltrate data from a targeted organization over FTP.[1]
EnterpriseT1086PowerShellThrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[1]
EnterpriseT1219Remote Access ToolsThrip used a cloud-based remote access software called LogMeIn for their attacks.[1]

Software

IDNameTechniques
S0261CatchamasApplication Window Discovery, Clipboard Data, Data Staged, Input Capture, Masquerading, Modify Registry, New Service, Screen Capture, System Network Configuration Discovery
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029PsExecService Execution, Windows Admin Shares

References