Poseidon Group

Poseidon Group is a Portuguese-speaking threat group that has been active since at least 2005. The group has a history of using information exfiltrated from victims to blackmail victim companies into contracting the Poseidon Group as a security firm. ^[1]

ID: G0033

Version: 1.1

Created: 31 May 2017

Last Modified: 18 March 2020

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1087	.001	Account Discovery: Local Account	Poseidon Group searches for administrator accounts on both the local victim machine and the network.^[1]
		.002	Account Discovery: Domain Account	Poseidon Group searches for administrator accounts on both the local victim machine and the network.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	The Poseidon Group's Information Gathering Tool (IGT) includes PowerShell components.^[1]
Enterprise	T1036	.005	Masquerading: Match Legitimate Name or Location	Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.^[1]
Enterprise	T1003		OS Credential Dumping	Poseidon Group conducts credential dumping on victims, with a focus on obtaining credentials belonging to domain and database servers.^[1]
Enterprise	T1057		Process Discovery	After compromising a victim, Poseidon Group lists all running processes.^[1]
Enterprise	T1049		System Network Connections Discovery	Poseidon Group obtains and saves information about victim network interfaces and addresses.^[1]
Enterprise	T1007		System Service Discovery	After compromising a victim, Poseidon Group discovers all running services.^[1]

References

Kaspersky Lab's Global Research and Analysis Team. (2016, February 9). Poseidon Group: a Targeted Attack Boutique specializing in global cyber-espionage. Retrieved March 16, 2016.

Poseidon Group

Enterprise Layer

Techniques Used

References