Group description: Thrip

attack.mitre.org · MITRE ATT&CK · 7 years ago · news
quality 2/10 · low quality
0 net
Tags
mitre attack
Thrip, Group G0076 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Thrip Thrip Thrip is an espionage group that has targeted satellite communications, telecoms, and defense contractor companies in the U.S. and Southeast Asia. The group uses custom malware as well as "living off the land" techniques. [1] ID:  G0076 Version : 1.2 Created:  17 October 2018 Last Modified:  25 April 2025 Version Permalink Live Version ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1059 .001 Command and Scripting Interpreter : PowerShell Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance. [1] Enterprise T1048 .003 Exfiltration Over Alternative Protocol : Exfiltration Over Unencrypted Non-C2 Protocol Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP. [1] Enterprise T1588 .002 Obtain Capabilities : Tool Thrip has obtained and used tools such as Mimikatz and PsExec . [1] Enterprise T1219 .002 Remote Access Tools : Remote Desktop Software Thrip used a cloud-based remote access software called LogMeIn for their attacks. [1] Software ID Name References Techniques S0261 Catchamas [1] Application Window Discovery , Clipboard Data , Create or Modify System Process : Windows Service , Data Staged : Local Data Staging , Input Capture : Keylogging , Masquerading : Masquerade Task or Service , Modify Registry , Screen Capture , System Network Configuration Discovery S0002 Mimikatz [1] Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket S0029 PsExec Thrip used PsExec to move laterally between computers on the victim’s network. [1] Create Account : Domain Account , Create or Modify System Process : Windows Service , Lateral Tool Transfer , Remote Services : SMB/Windows Admin Shares , System Services : Service Execution References Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018. × load more results
← Back to stories