Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа APT33
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
APT33
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)
ID: G0064
Associated Groups: HOLMIUM, Elfin
Version: 1.4
Created: 18 Apr 2018
Last Modified: 23 May 2022

Associated Group Descriptions
Name Description
HOLMIUM (Citation: Microsoft Holmium June 2020)
Elfin (Citation: Symantec Elfin Mar 2019)

Techniques Used
Domain ID Name Use
Enterprise T1071 .001 Application Layer Protocol: Web Protocols

APT33 has used HTTP for command and control.(Citation: Symantec Elfin Mar 2019)
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

APT33 has used WinRAR to compress data prior to exfil.(Citation: Symantec Elfin Mar 2019)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)
Enterprise T1110 .003 Brute Force: Password Spraying

APT33 has used password spraying to gain access to target systems.(Citation: FireEye APT33 Guardrail)(Citation: Microsoft Holmium June 2020)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

APT33 has utilized PowerShell to download files from the C2 server and run various scripts. (Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020)
.005 Command and Scripting Interpreter: Visual Basic

APT33 has used VBScript to initiate the delivery of payloads.(Citation: Microsoft Holmium June 2020)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)
Enterprise T1132 .001 Data Encoding: Standard Encoding

APT33 has used base64 to encode command and control traffic.(Citation: FireEye APT33 Guardrail)
Enterprise T1573 .001 Encrypted Channel: Symmetric Cryptography

APT33 has used AES for encryption of command and control traffic.(Citation: FireEye APT33 Guardrail)
Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.(Citation: Microsoft Holmium June 2020)
Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

APT33 has used FTP to exfiltrate files (separately from the C2 channel).(Citation: Symantec Elfin Mar 2019)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)
.004 OS Credential Dumping: LSA Secrets

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)

.005 OS Credential Dumping: Cached Domain Credentials

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)

Enterprise T1588 .002 Obtain Capabilities: Tool

APT33 has obtained and leveraged publicly-available tools for early intrusion activities.(Citation: FireEye APT33 Guardrail)(Citation: Symantec Elfin Mar 2019)
Enterprise T1566 .001 Phishing: Spearphishing Attachment

APT33 has sent spearphishing e-mails with archive attachments.(Citation: Microsoft Holmium June 2020)
.002 Phishing: Spearphishing Link

APT33 has sent spearphishing emails containing links to .hta files.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

APT33 has created a scheduled task to execute a .vbe file multiple times a day.(Citation: Symantec Elfin Mar 2019)
Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)
.006 Unsecured Credentials: Group Policy Preferences

APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail)

Enterprise T1204 .001 User Execution: Malicious Link

APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019)
.002 User Execution: Malicious File

APT33 has used malicious e-mail attachments to lure victims into executing malware.(Citation: Microsoft Holmium June 2020)

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.(Citation: Microsoft Holmium June 2020)

Software
ID Name References Techniques
S0039 Net (Citation: Microsoft Net Utility) (Citation: Savill 1999) (Citation: Symantec Elfin Mar 2019) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Local Groups, SMB/Windows Admin Shares, Domain Account
S0194 PowerSploit (Citation: FireEye APT33 Guardrail) (Citation: GitHub PowerSploit May 2012) (Citation: PowerShellMagazine PowerSploit July 2014) (Citation: PowerSploit Documentation) Path Interception by PATH Environment Variable, Keylogging, Reflective Code Loading, Credentials in Registry, Indicator Removal from Tools, Audio Capture, Windows Management Instrumentation, Path Interception by Unquoted Path, Query Registry, Data from Local System, Group Policy Preferences, Path Interception, Dynamic-link Library Injection, Obfuscated Files or Information, Access Token Manipulation, Windows Service, Screen Capture, Registry Run Keys / Startup Folder, Scheduled Task, DLL Search Order Hijacking, Path Interception by Search Order Hijacking, Kerberoasting, Local Account, Security Support Provider, Process Discovery, Windows Credential Manager, PowerShell, Domain Trust Discovery, LSASS Memory
S0198 NETWIRE (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: McAfee Netwire Mar 2015) Proxy, Registry Run Keys / Startup Folder, Software Packing, Symmetric Cryptography, Archive via Custom Method, Malicious File, Malicious Link, Automated Collection, XDG Autostart Entries, Visual Basic, Obfuscated Files or Information, PowerShell, Process Injection, Cron, File and Directory Discovery, Process Discovery, Unix Shell, System Network Connections Discovery, Archive Collected Data, Credentials from Web Browsers, Spearphishing Link, Plist Modification, Credentials from Password Stores, Match Legitimate Name or Location, Web Service, Hidden Files and Directories, Application Window Discovery, Windows Command Shell, Invalid Code Signature, Keylogging, Native API, Scheduled Task, Screen Capture, Login Items, System Network Configuration Discovery, Web Protocols, Process Hollowing, Modify Registry, System Information Discovery, Spearphishing Attachment, Local Data Staging, Non-Application Layer Protocol, Encrypted Channel, Launch Agent, Ingress Tool Transfer
S0363 Empire (Citation: EmPyre) (Citation: FireEye APT33 Guardrail) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Symantec Elfin Mar 2019) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0378 PoshC2 (Citation: FireEye APT33 Guardrail) (Citation: GitHub PoshC2) (Citation: Symantec Elfin Mar 2019) System Network Configuration Discovery, Credentials In Files, LLMNR/NBT-NS Poisoning and SMB Relay, Web Protocols, Windows Management Instrumentation, System Network Connections Discovery, Exploitation for Privilege Escalation, System Service Discovery, Create Process with Token, Bypass User Account Control, Service Execution, Local Account, Automated Collection, System Information Discovery, Keylogging, Domain Account, Archive via Utility, Pass the Hash, Local Groups, File and Directory Discovery, Proxy, Brute Force, LSASS Memory, Process Injection, Exploitation of Remote Services, Domain Trust Discovery, Access Token Manipulation, Network Service Discovery, Credentials from Password Stores, Network Sniffing, Windows Management Instrumentation Event Subscription, Password Policy Discovery
S0380 StoneDrill (Citation: DROPSHOT) (Citation: FireEye APT33 Sept 2017) (Citation: Kaspersky StoneDrill 2017) Virtualization/Sandbox Evasion, Ingress Tool Transfer, File Deletion, System Time Discovery, Process Injection, Security Software Discovery, Windows Management Instrumentation, Obfuscated Files or Information, System Information Discovery, Disk Structure Wipe, Query Registry, Disk Content Wipe, Visual Basic, Screen Capture, Data Destruction
S0358 Ruler (Citation: FireEye APT33 Guardrail) (Citation: Microsoft Holmium June 2020) (Citation: SensePost NotRuler) (Citation: SensePost Ruler GitHub) Outlook Rules, Outlook Forms, Outlook Home Page, Email Account
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Symantec Elfin Mar 2019) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0336 NanoCore (Citation: Cofense NanoCore Mar 2018) (Citation: DigiTrust NanoCore Jan 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: PaloAlto NanoCore Feb 2016) (Citation: Unit 42 Gorgon Group Aug 2018) Ingress Tool Transfer, Windows Command Shell, System Network Configuration Discovery, Video Capture, Disable or Modify System Firewall, Obfuscated Files or Information, Audio Capture, Visual Basic, Keylogging, Modify Registry, Symmetric Cryptography, Disable or Modify Tools, Registry Run Keys / Startup Folder, Uncommonly Used Port
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: Symantec Elfin Mar 2019) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0192 Pupy (Citation: FireEye APT33 Guardrail) (Citation: GitHub Pupy) Service Execution, Network Service Discovery, Screen Capture, Credentials In Files, Ingress Tool Transfer, Network Share Discovery, Asymmetric Cryptography, Bypass User Account Control, PowerShell, System Owner/User Discovery, Domain Account, Exfiltration Over C2 Channel, Credentials from Web Browsers, Audio Capture, Dynamic-link Library Injection, System Network Configuration Discovery, Local Email Collection, Systemd Service, Local Account, File and Directory Discovery, System Information Discovery, LSASS Memory, Keylogging, Web Protocols, System Checks, Remote Desktop Protocol, Pass the Ticket, LLMNR/NBT-NS Poisoning and SMB Relay, Local Account, Python, Video Capture, Clear Windows Event Logs, Token Impersonation/Theft, Archive via Utility, Registry Run Keys / Startup Folder, Cached Domain Credentials, LSA Secrets, System Network Connections Discovery, Credentials from Password Stores, Process Discovery
S0095 ftp (Citation: Linux FTP) (Citation: Microsoft FTP) (Citation: Symantec Elfin Mar 2019) Commonly Used Port, Lateral Tool Transfer, Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer
S0199 TURNEDUP (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017) (Citation: Symantec Elfin Mar 2019) Asynchronous Procedure Call, Screen Capture, Ingress Tool Transfer, Windows Command Shell, System Information Discovery, Registry Run Keys / Startup Folder
S0371 POWERTON (Citation: FireEye APT33 Guardrail) (Citation: Microsoft Holmium June 2020) Symmetric Cryptography, Web Protocols, PowerShell, Commonly Used Port, Security Account Manager, Registry Run Keys / Startup Folder, Windows Management Instrumentation Event Subscription
S0129 AutoIt backdoor (Citation: Forcepoint Monsoon) (Citation: Symantec Elfin Mar 2019) File and Directory Discovery, Bypass User Account Control, Standard Encoding, PowerShell

References

  1. Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
  2. Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
  3. Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
  4. O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
  5. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.