Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. ^[1]

ID: G0028

ⓘ

Associated Groups: TG-1314

Version: 1.1

Created: 31 May 2017

Last Modified: 19 March 2020

Associated Group Descriptions

Name	Description
TG-1314	^[1]

Techniques Used

Domain	ID		Name	Use
Enterprise	T1059	.003	Command and Scripting Interpreter: Windows Command Shell	Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.^[1]
Enterprise	T1021	.002	Remote Services: SMB/Windows Admin Shares	Threat Group-1314 actors mapped network drives using `net use`.^[1]
Enterprise	T1072		Software Deployment Tools	Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.^[1]
Enterprise	T1078	.002	Valid Accounts: Domain Accounts	Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.^[1]

Software

ID	Name	References	Techniques
S0039	Net	^[1]	Account Discovery: Local Account, Account Discovery: Domain Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Local Groups, Permission Groups Discovery: Domain Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery
S0029	PsExec	^[1]	Create Account: Domain Account, Create or Modify System Process: Windows Service, Lateral Tool Transfer, Remote Services: SMB/Windows Admin Shares, System Services: Service Execution

References

Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.