Description
[PROMETHIUM](https://attack.mitre.org/groups/G0056) is an activity group focused on espionage that has been active since at least 2012. The group has conducted operations globally with a heavy emphasis on Turkish targets. [PROMETHIUM](https://attack.mitre.org/groups/G0056) has demonstrated similarity to another activity group called [NEODYMIUM](https://attack.mitre.org/groups/G0055) due to overlapping victim and campaign characteristics.(Citation: Microsoft NEODYMIUM Dec 2016)(Citation: Microsoft SIR Vol 21)(Citation: Talos Promethium June 2020)
Techniques Used (TTPs)
- T1204.002 — Malicious File (execution)
- T1587.002 — Code Signing Certificates (resource-development)
- T1078.003 — Local Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
- T1587.003 — Digital Certificates (resource-development)
- T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
- T1543.003 — Windows Service (persistence, privilege-escalation)
- T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
- T1036.004 — Masquerade Task or Service (defense-evasion)
- T1553.002 — Code Signing (defense-evasion)
- T1205.001 — Port Knocking (defense-evasion, persistence, command-and-control)
- T1189 — Drive-by Compromise (initial-access)
Total TTPs: 11
Malware & Tools
Malware: StrongPity, Truvasys