Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [1]

ID: G0028
Associated Groups: TG-1314
Version: 1.1
Created: 31 May 2017
Last Modified: 19 March 2020

Associated Group Descriptions

Name Description
TG-1314

[1]

Techniques Used

Domain ID Name Use
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.[1]

Enterprise T1021 .002 Remote Services: SMB/Windows Admin Shares

Threat Group-1314 actors mapped network drives using net use.[1]

Enterprise T1072 Software Deployment Tools

Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.[1]

Enterprise T1078 .002 Valid Accounts: Domain Accounts

Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.[1]

Software

ID Name References Techniques
S0039 Net [1] Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Domain Account, Create Account: Local Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0029 PsExec [1] Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References