Skip to content

G0033 Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. 1

Item Value
ID G0033
Associated Names
Version 1.1
Created 31 May 2017
Last Modified 18 March 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1087 Account Discovery -
enterprise T1087.001 Local Account Poseidon Group searches for administrator accounts on both the local victim machine and the network.1
enterprise T1087.002 Domain Account Poseidon Group searches for administrator accounts on both the local victim machine and the network.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell The Poseidon Group‘s Information Gathering Tool (IGT) includes PowerShell components.1
enterprise T1036 Masquerading -
enterprise T1036.005 Match Legitimate Name or Location Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.1
enterprise T1003 OS Credential Dumping Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.1
enterprise T1057 Process Discovery After compromising a victim, Poseidon Group lists all running processes.1
enterprise T1049 System Network Connections Discovery Poseidon Group obtains and saves information about victim network interfaces and addresses.1
enterprise T1007 System Service Discovery After compromising a victim, Poseidon Group discovers all running services.1

References

Back to top