Skip to content

G0028 Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim’s remote access infrastructure. 1

Item Value
ID G0028
Associated Names TG-1314
Version 1.1
Created 31 May 2017
Last Modified 19 March 2020
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
TG-1314 1

Techniques Used

Domain ID Name Use
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.003 Windows Command Shell Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.1
enterprise T1021 Remote Services -
enterprise T1021.002 SMB/Windows Admin Shares Threat Group-1314 actors mapped network drives using net use.1
enterprise T1072 Software Deployment Tools Threat Group-1314 actors used a victim’s endpoint management platform, Altiris, for lateral movement.1
enterprise T1078 Valid Accounts -
enterprise T1078.002 Domain Accounts Threat Group-1314 actors used compromised domain credentials for the victim’s endpoint management platform, Altiris, to move laterally.1

Software

ID Name References Techniques
S0039 Net 1 Domain Account:Account Discovery Local Account:Account Discovery Local Account:Create Account Domain Account:Create Account Network Share Connection Removal:Indicator Removal Network Share Discovery Password Policy Discovery Local Groups:Permission Groups Discovery Domain Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services

References

  1. Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.