Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. [1]

ID: G0033
Version: 1.1
Created: 31 May 2017
Last Modified: 18 March 2020

Techniques Used

Domain ID Name Use
Enterprise T1087 .001 Account Discovery: Local Account

Poseidon Group searches for administrator accounts on both the local victim machine and the network.[1]

.002 Account Discovery: Domain Account

Poseidon Group searches for administrator accounts on both the local victim machine and the network.[1]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.[1]

Enterprise T1036 .005 Masquerading: Match Legitimate Name or Location

Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.[1]

Enterprise T1003 OS Credential Dumping

Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.[1]

Enterprise T1057 Process Discovery

After compromising a victim, Poseidon Group lists all running processes.[1]

Enterprise T1049 System Network Connections Discovery

Poseidon Group obtains and saves information about victim network interfaces and addresses.[1]

Enterprise T1007 System Service Discovery

After compromising a victim, Poseidon Group discovers all running services.[1]

References