Thrip
Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [1]
ID: G0076
Version: 1.0
Created: 17 October 2018
Last Modified: 25 March 2019
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| Enterprise | T1048 | Exfiltration Over Alternative Protocol |
Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.[1] |
| Enterprise | T1086 | PowerShell |
Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.[1] |
| Enterprise | T1219 | Remote Access Tools |
Thrip used a cloud-based remote access software called LogMeIn for their attacks.[1] |
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0261 | Catchamas | [1] | Application Window Discovery, Clipboard Data, Data Staged, Input Capture, Masquerading, Modify Registry, New Service, Screen Capture, System Network Configuration Discovery |
| S0002 | Mimikatz | [1] | Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection |
| S0029 | PsExec |
Thrip used PsExec to move laterally between computers on the victim’s network.[1] |
Service Execution, Windows Admin Shares |