Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа APT33
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT33
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)
ID: G0064
Associated Groups: HOLMIUM, Peach Sandstorm, Elfin
Version: 2.0
Created: 18 Apr 2018
Last Modified: 11 Apr 2024

Associated Group Descriptions
Name Description
HOLMIUM (Citation: Microsoft Holmium June 2020)
Peach Sandstorm (Citation: Microsoft Threat Actor Naming July 2023)
Elfin (Citation: Symantec Elfin Mar 2019)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT33 has used HTTP for command and control.(Citation: Symantec Elfin Mar 2019)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT33 has used WinRAR to compress data prior to exfil.(Citation: Symantec Elfin Mar 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)
Enterprise T1110 .003 Brute Force: Password Spraying

APT33 has used password spraying to gain access to target systems.(Citation: FireEye APT33 Guardrail)(Citation: Microsoft Holmium June 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT33 has utilized PowerShell to download files from the C2 server and run various scripts. (Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)
.005 Command and Scripting Interpreter: Visual Basic

APT33 has used VBScript to initiate the delivery of payloads.(Citation: Microsoft Holmium June 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)
Enterprise T1132 .001 Data Encoding: Standard Encoding

APT33 has used base64 to encode command and control traffic.(Citation: FireEye APT33 Guardrail)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

APT33 has used AES for encryption of command and control traffic.(Citation: FireEye APT33 Guardrail)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.(Citation: Microsoft Holmium June 2020)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

APT33 has used FTP to exfiltrate files (separately from the C2 channel).(Citation: Symantec Elfin Mar 2019)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)
.004 OS Credential Dumping: LSA Secrets

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)

.005 OS Credential Dumping: Cached Domain Credentials

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)

Enterprise T1027 .013 Obfuscated Files or Information: Encrypted/Encoded File

APT33 has used base64 to encode payloads.(Citation: FireEye APT33 Guardrail)
Enterprise T1588 .002 Obtain Capabilities: Tool

APT33 has obtained and leveraged publicly-available tools for early intrusion activities.(Citation: FireEye APT33 Guardrail)(Citation: Symantec Elfin Mar 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT33 has sent spearphishing e-mails with archive attachments.(Citation: Microsoft Holmium June 2020)
.002 Phishing: Spearphishing Link

APT33 has sent spearphishing emails containing links to .hta files.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT33 has created a scheduled task to execute a .vbe file multiple times a day.(Citation: Symantec Elfin Mar 2019)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)
.006 Unsecured Credentials: Group Policy Preferences

APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)

Enterprise T1204 .001 User Execution: Malicious Link

APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019)
.002 User Execution: Malicious File

APT33 has used malicious e-mail attachments to lure victims into executing malware.(Citation: Microsoft Holmium June 2020)

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.(Citation: Microsoft Holmium June 2020)

Software
ID Name References Techniques
S0039 Net (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: Symantec Elfin Mar 2019) Domain Account, Local Account, Domain Groups, System Service Discovery, Network Share Discovery, Additional Local or Domain Groups, SMB/Windows Admin Shares, Local Account, Domain Account, System Network Connections Discovery, Local Groups, Network Share Connection Removal, Password Policy Discovery, Remote System Discovery, Service Execution, System Time Discovery
S0194 PowerSploit (Citation: FireEye APT33 Guardrail) (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Scheduled Task, Windows Management Instrumentation, Screen Capture, Keylogging, Path Interception by PATH Environment Variable, Audio Capture, Local Account, Windows Service, DLL, Credentials in Registry, Data from Local System, Reflective Code Loading, Security Support Provider, Path Interception by Search Order Hijacking, LSASS Memory, Domain Trust Discovery, Group Policy Preferences, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Indicator Removal from Tools, Path Interception by Unquoted Path, Query Registry, Path Interception, Windows Credential Manager, Command Obfuscation, Access Token Manipulation, Kerberoasting, Dynamic-link Library Injection
S0198 NETWIRE (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: McAfee Netwire Mar 2015) Scheduled Task, Screen Capture, Fileless Storage, Keylogging, Archive via Custom Method, Local Data Staging, Match Legitimate Resource Name or Location, Malicious File, Symmetric Cryptography, Cron, Spearphishing Link, Spearphishing Attachment, Automated Collection, System Information Discovery, Native API, Credentials from Password Stores, Process Injection, Application Window Discovery, Archive Collected Data, Modify Registry, Credentials from Web Browsers, Plist Modification, System Network Configuration Discovery, Proxy, File and Directory Discovery, System Network Connections Discovery, Web Service, Login Items, Process Discovery, PowerShell, Registry Run Keys / Startup Folder, Unix Shell, Process Hollowing, Obfuscated Files or Information, Invalid Code Signature, Encrypted Channel, Non-Application Layer Protocol, Launch Agent, Windows Command Shell, Software Packing, Web Protocols, Visual Basic, XDG Autostart Entries, Ingress Tool Transfer, Hidden Files and Directories, Malicious Link
S0363 Empire (Citation: EmPyre) (Citation: FireEye APT33 Guardrail) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Symantec Elfin Mar 2019) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking
S0378 PoshC2 (Citation: FireEye APT33 Guardrail) (Citation: GitHub PoshC2) (Citation: Symantec Elfin Mar 2019) Archive via Utility, Windows Management Instrumentation, Keylogging, Bypass User Account Control, Domain Account, Local Account, Automated Collection, System Service Discovery, Network Sniffing, System Information Discovery, Credentials from Password Stores, Process Injection, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, System Network Configuration Discovery, Proxy, Domain Trust Discovery, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Windows Management Instrumentation Event Subscription, Exploitation of Remote Services, Local Groups, Brute Force, Exploitation for Privilege Escalation, Password Policy Discovery, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Service Execution
S0380 StoneDrill (Citation: DROPSHOT) (Citation: FireEye APT33 Sept 2017) (Citation: Kaspersky StoneDrill 2017) Windows Management Instrumentation, Screen Capture, Disk Structure Wipe, Encrypted/Encoded File, System Information Discovery, Process Injection, Virtualization/Sandbox Evasion, Query Registry, Security Software Discovery, Data Destruction, File Deletion, Visual Basic, Ingress Tool Transfer, System Time Discovery, Disk Content Wipe
S0358 Ruler (Citation: FireEye APT33 Guardrail) (Citation: Microsoft Holmium June 2020) (Citation: SensePost NotRuler) (Citation: SensePost Ruler GitHub) Outlook Rules, Email Account, Outlook Forms, Outlook Home Page
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Symantec Elfin Mar 2019) Security Account Manager, LSA Secrets, Credentials from Password Stores, Security Support Provider, Rogue Domain Controller, Credentials from Web Browsers, Private Keys, LSASS Memory, Golden Ticket, Pass the Ticket, Steal or Forge Authentication Certificates, Account Manipulation, SID-History Injection, Silver Ticket, Windows Credential Manager, Pass the Hash, DCSync
S0336 NanoCore (Citation: Cofense NanoCore Mar 2018) (Citation: DigiTrust NanoCore Jan 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: PaloAlto NanoCore Feb 2016) (Citation: Unit 42 Gorgon Group Aug 2018) Keylogging, Audio Capture, Symmetric Cryptography, Disable or Modify System Firewall, Modify Registry, Video Capture, System Network Configuration Discovery, Registry Run Keys / Startup Folder, Disable or Modify Tools, Obfuscated Files or Information, Uncommonly Used Port, Windows Command Shell, Visual Basic, Ingress Tool Transfer
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: Symantec Elfin Mar 2019) Keychain, LSA Secrets, Proc Filesystem, Credentials from Password Stores, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials In Files, /etc/passwd and /etc/shadow, Windows Credential Manager
S0192 Pupy (Citation: FireEye APT33 Guardrail) (Citation: GitHub Pupy) Archive via Utility, Screen Capture, System Owner/User Discovery, Keylogging, Audio Capture, Bypass User Account Control, Local Email Collection, LSA Secrets, Local Account, System Checks, Network Share Discovery, System Information Discovery, Credentials from Password Stores, Credentials from Web Browsers, Local Account, Clear Windows Event Logs, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Cached Domain Credentials, Video Capture, System Network Configuration Discovery, Domain Account, Pass the Ticket, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Token Impersonation/Theft, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Registry Run Keys / Startup Folder, Asymmetric Cryptography, Python, Web Protocols, Systemd Service, XDG Autostart Entries, Network Service Discovery, Ingress Tool Transfer, Remote Desktop Protocol, Service Execution, Dynamic-link Library Injection
S0095 ftp (Citation: Linux FTP) (Citation: Microsoft FTP) (Citation: Symantec Elfin Mar 2019) Lateral Tool Transfer, Ingress Tool Transfer, Commonly Used Port, Exfiltration Over Unencrypted Non-C2 Protocol
S0199 TURNEDUP (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: Symantec Elfin Mar 2019) Screen Capture, System Information Discovery, Asynchronous Procedure Call, Registry Run Keys / Startup Folder, Windows Command Shell, Ingress Tool Transfer
S0371 POWERTON (Citation: FireEye APT33 Guardrail) (Citation: Microsoft Holmium June 2020) Security Account Manager, Symmetric Cryptography, Windows Management Instrumentation Event Subscription, PowerShell, Registry Run Keys / Startup Folder, Web Protocols, Commonly Used Port
S1134 DEADWOOD (Citation: RecordedFuture IranianResponse 2020) (Citation: SentinelOne Agrius 2021) Embedded Payloads, Disk Structure Wipe, Encrypted/Encoded File, Deobfuscate/Decode Files or Information, Masquerade Task or Service, Account Access Removal, Data Destruction, Service Execution, System Time Discovery, Disk Content Wipe
S0129 AutoIt backdoor (Citation: Forcepoint Monsoon) (Citation: Symantec Elfin Mar 2019) Standard Encoding, Bypass User Account Control, File and Directory Discovery, PowerShell

References

  1. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  2. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  3. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
  4. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  5. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  6. Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.