G0033 Poseidon Group
Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. 1
| Item | Value |
|---|---|
| ID | G0033 |
| Associated Names | |
| Version | 1.1 |
| Created | 31 May 2017 |
| Last Modified | 18 March 2020 |
| Navigation Layer | View In ATT&CK® Navigator |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1087 | Account Discovery | - |
| enterprise | T1087.001 | Local Account | Poseidon Group searches for administrator accounts on both the local victim machine and the network.1 |
| enterprise | T1087.002 | Domain Account | Poseidon Group searches for administrator accounts on both the local victim machine and the network.1 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | The Poseidon Group‘s Information Gathering Tool (IGT) includes PowerShell components.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Name or Location | Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.1 |
| enterprise | T1003 | OS Credential Dumping | Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.1 |
| enterprise | T1057 | Process Discovery | After compromising a victim, Poseidon Group lists all running processes.1 |
| enterprise | T1049 | System Network Connections Discovery | Poseidon Group obtains and saves information about victim network interfaces and addresses.1 |
| enterprise | T1007 | System Service Discovery | After compromising a victim, Poseidon Group discovers all running services.1 |