Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0028: Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [1]

EnterpriseG0028GroupObject v1.1 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

Threat Group-1314 matters less as an attributed actor and more as a practical warning: compromised credentials used against remote access infrastructure can look like normal administration. The related ATT&CK context points to use of legitimate tools and services such as PsExec, Net, Windows command shell, SMB/Windows Admin Shares, software deployment tools, and domain accounts, which means business risk often depends on whether the organization can distinguish authorized admin activity from credential misuse.

Executive priority

Prioritize this as an identity, remote access, and lateral movement readiness issue. Leaders should ask whether remote access is strongly governed, whether domain and administrative accounts are monitored for abnormal use, and whether SOC/IR teams have evidence to reconstruct activity involving Windows admin shares, command-line execution, and centralized deployment tools. This is also useful for audit and resilience planning because the relevant controls are often core IAM, privileged access, logging, and administrative tool governance rather than niche malware defenses.

Technical view

For SOC, detection engineering, and IR teams, validate coverage around successful remote access using valid or domain credentials, followed by administrative execution or lateral movement patterns. The relationship context supports attention to Windows-oriented activity involving PsExec, Net, SMB/Windows Admin Shares, and Windows Command Shell, plus broader enterprise software deployment tooling where present. Review whether detections correlate identity events, endpoint process creation, remote service activity, SMB/admin share access, and changes or execution initiated by deployment platforms.

Likely telemetry

  • Remote access authentication logs, including successful logons and source/destination context
  • Directory and domain account authentication events
  • Privileged account and group membership activity
  • Endpoint process creation for command shell, PsExec-like execution, and Net utility usage
  • SMB and Windows admin share access logs where available

Detection direction

  • Tune for valid-account misuse rather than only malware indicators: unusual source locations, new remote access patterns, atypical admin share use, or commands run outside normal administrative windows.
  • Correlate identity and endpoint telemetry so a successful domain account logon can be linked to subsequent command execution, PsExec activity, Net utility use, or SMB lateral movement.
  • Baseline legitimate IT administration and software deployment activity to reduce false positives; these tools are dual-use and commonly legitimate.
  • Validate visibility on remote access infrastructure first, because the official description specifically notes compromised credentials used to log into remote access infrastructure.
  • Check for blind spots around service accounts, shared admin accounts, unmanaged endpoints, and deployment tools that may not forward detailed operator or job logs.

Mitigation priorities

  • Strengthen remote access controls with strong authentication, least privilege, and review of who can access remote infrastructure.
  • Reduce domain account exposure by limiting privileged account use, separating administrative roles, and regularly reviewing group membership and service accounts.
  • Govern legitimate administrative tooling, including PsExec-like utilities, command-line administration, SMB admin shares, and centralized deployment platforms.
  • Ensure logging is enabled and retained across identity providers, remote access systems, endpoints, Windows administrative services, and deployment tooling.
  • Prepare IR playbooks for suspected credential misuse that include account containment, session review, lateral movement scoping, and validation of administrative tool activity.
Analyst notes and limits

This object is an unattributed ATT&CK group entry with sparse official detail. Its value for defenders is in the behavior pattern: credential-based remote access and later use of legitimate administration mechanisms reflected in the related software and techniques. Treat it as a control validation scenario for identity security, remote access monitoring, Windows administration telemetry, and software deployment governance.

ATT&CK provides no official detection text, no object-level platforms or tactics, and no current activity claim in the supplied fields. Platform-specific guidance is inferred only from the supplied relationship context. Local environment baselines are required to separate authorized administration from suspicious use.

Official MITRE ATT&CK definition

Threat Group-1314

Threat Group-1314 is an unattributed threat group that has used compromised credentials to log into a victim's remote access infrastructure. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

4 rows
Domain ID Name Relationship / procedure
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

Threat Group-1314 actors mapped network drives using net use.CitationDell TG-1314
Enterprise T1059.003 Windows Command Shell Sub-technique

Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands.CitationDell TG-1314
Enterprise T1072 Software Deployment Tools

Threat Group-1314 actors used a victim's endpoint management platform, Altiris, for lateral movement.CitationDell TG-1314
Enterprise T1078.002 Domain Accounts Sub-technique

Threat Group-1314 actors used compromised domain credentials for the victim's endpoint management platform, Altiris, to move laterally.CitationDell TG-1314
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0039: Net

The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. [1]

Net has a great deal of functionality, [2] much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through SMB/Windows Admin Shares using net use commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as net1 user.

Windows
Tool Enterprise

S0029: PsExec

PsExec is a free Microsoft tool that can be used to execute a program on another computer. It is used by IT administrators and attackers.[1][2]

Windows
Relationship explorer

All related ATT&CK context

uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Tool S0039: Net Enterprise uses · Technique T1072: Software Deployment Tools Enterprise uses · Technique T1078.002: Domain Accounts Enterprise uses · Tool S0029: PsExec Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.1
Created
Modified
Raw hash
493951c22e66c98f...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.1 Current bundle 493951c22e66…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Dell TG-1314

    Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016.

    Open source URL
  2. [2]
    TG-1314

    (Citation: Dell TG-1314)

  3. [3]
    Threat Group-1314

    (Citation: Dell TG-1314)

  4. [4]
    mitre-attack G0028
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use