high_confidence

C0032

[C0032](https://attack.mitre.org/campaigns/C0032) was an extended campaign suspected to involve the [Triton](https://attack.mitre.org/software/S1009) adversaries with related capabilities and techniques focused on gaining a foothold within IT environments. This campaign occurred in 2019 and was distinctly different from the [Triton Safety Instrumented System Attack](https://attack.mitre.org/campaigns/C0030).(Citation: FireEye TRITON 2019)

Start date

1 October 2014

End date

1 January 2017

Techniques

Attributed actors

Turla· primary TEMP.Veles· primary

Techniques (17)

collection1

T1074.001Local Data Staging

command-and-control2

T1572Protocol Tunneling

T1571Non-Standard Port

credential-access1

T1003.001LSASS Memory

execution2

T1059.001PowerShell

T1053.005Scheduled Task

initial-access2

T1078Valid Accounts

T1133External Remote Services

lateral-movement2

T1021.001Remote Desktop Protocol

T1021.004SSH

persistence5

T1078Valid Accounts

T1133External Remote Services

T1546.012Image File Execution Options Injection

T1505.003Web Shell

T1053.005Scheduled Task

privilege-escalation3

T1078Valid Accounts

T1546.012Image File Execution Options Injection

T1053.005Scheduled Task

resource-development2

T1588.002Tool

T1583.003Virtual Private Server

stealth4

T1036.005Match Legitimate Resource Name or Location

T1078Valid Accounts

T1070.006Timestomp

T1070.004File Deletion

Indicators of compromise

No IOCs linked to this campaign yet.