Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. (Citation: Dell TG-1314)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | execution | Command-Line Interface | Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands. | Process monitoring, Process command-line parameters |
| Windows | lateral-movement | Windows Admin Shares | Threat Group-1314 actors mapped network drives using net use. |
Process use of network, Authentication logs, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | execution, lateral-movement | Third-party Software | Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement. | File monitoring, Third-party application logs, Windows Registry, Process monitoring, Process use of network, Binary file metadata |
| Linux, macOS, Windows, AWS, GCP, Azure, SaaS, Office 365 | defense-evasion, persistence, privilege-escalation, initial-access | Valid Accounts | Threat Group-1314 actors used compromised credentials for the victim's endpoint management platform, Altiris, to move laterally. | AWS CloudTrail logs, Stackdriver logs, Authentication logs, Process monitoring |