Skip to main content
Mallory
Back to threat actors
3 malware families

Threat Group-1314

Also known asTG-1314Threat Group-1314

Threat Group-1314 is a tracked threat actor referenced in ATT&CK-style mappings and Splunk analytic annotations as using Windows command execution, SMB-based lateral movement, domain account abuse, permission group discovery, account discovery, network share discovery, inter-process communication, and process injection. The provided content specifically states that Threat Group-1314 actors spawned shells on remote systems on a victim network to execute commands and used compromised domain credentials for the victim's Altiris endpoint management platform to move laterally. Techniques explicitly associated with the group in the content include T1059.003 (Windows Command Shell), T1021.002 (SMB/Windows Admin Shares), T1078.002 (Domain Accounts), T1069 (Permission Groups Discovery), T1087 (Account Discovery), T1135 (Network Share Discovery), T1559 (Inter-Process Communication), and T1055 (Process Injection). The group is also referenced in detections and hunting content related to suspicious named pipes, SMB activity, PowerView AD ACL enumeration, suspicious Kerberos TGT requests, potentially unwanted application named pipes, unusual Windows theme file creation, and Microsoft Intune administrative activity. Known aliases in the provided content are tg_1314 and threat_group_1314.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

15 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

9 of 15 tactics33 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0001
Initial Access
2 techniques
T1078×2
Valid Accounts
T1078.002×4
Domain Accounts
T1133
External Remote Services
TA0002
Execution
4 techniques
T1047×2
Windows Management Instrumentation
T1059
Command and Scripting Interpreter
T1059.003×7
Windows Command Shell
T1072×2
Software Deployment Tools
T1559×2
Inter-Process Communication
TA0003
Persistence
3 techniques
T1078×2
Valid Accounts
T1078.002×4
Domain Accounts
T1133
External Remote Services
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0004
Privilege Escalation
3 techniques
T1055×2
Process Injection
T1078×2
Valid Accounts
T1078.002×4
Domain Accounts
T1543
Create or Modify System Process
T1543.003×2
Windows Service
TA0005
Stealth
3 techniques
T1055×2
Process Injection
T1070
Indicator Removal
T1070.003
Clear Command History
T1078×2
Valid Accounts
T1078.002×4
Domain Accounts
TA0006
Credential Access
2 techniques
T1187
Forced Authentication
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
TA0007
Discovery
1 technique
T1069
Permission Groups Discovery
TA0008
Lateral Movement
2 techniques
T1021
Remote Services
T1021.002×9
SMB/Windows Admin Shares
T1021.003×2
Distributed Component Object Model
T1072×2
Software Deployment Tools
TA0009
Collection
1 technique
T1557
Adversary-in-the-Middle
T1557.001
Name Resolution Poisoning and SMB Relay
ARSENAL

Associated malware families

3 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen
ImpacketThe following analytic identifies suspicious command-line parameters associated with the use of Impacket's smbexec.py for lateral movement. This activity is significant as both Red Teams and adversaries use Impacket for remote code execution and lateral movement.2Mar 17, 2026
PowerViewThe following analytic detects the execution of PowerView PowerShell cmdlets Get-ObjectAcl or Get-DomainObjectAcl , which are used to enumerate Access Control List (ACL) permissions for Active Directory objects.1Mar 18, 2026
PsExecThe following analytic identifies the execution of PsExec.exe with the accepteula flag in the command line... PsExec is commonly used by threat actors to execute code on remote systems... potentially leading to further system compromise and lateral movement within the network.1Mar 17, 2026
ACTIVITY FEED

Recent activity

20 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

20 SOURCESView more in app
splunk researchNews
Apr 13, 2026
Detection: Windows Theme File Creation in Unusual Location | Splunk Security Content

Listed in the detection annotations as a threat actor associated with techniques involving Windows theme files, forced authentication, name resolution poisoning/SMB relay, and SMB/Windows admin shares.

Read more
splunk researchNews
Apr 13, 2026
Detection: Windows File Association Modification via Ftype | Splunk Security Content

Listed as a threat actor associated with Windows Command Shell execution behavior relevant to this detection.

Read more
splunk researchNews
Feb 25, 2026
Detection: CMD Carry Out String Command Parameter | Splunk Security Content

Listed as a threat actor associated with Windows Command Shell execution via cmd.exe /c or /k in this detection context.

Read more
splunk researchNews
Feb 25, 2026
Detection: CMD Echo Pipe - Escalation | Splunk Security Content

Listed as a threat actor associated with the named-pipe impersonation privilege-escalation detection.

Read more
+28 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping15

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal3

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.