APT33
Associated Group Descriptions |
|
Name | Description |
---|---|
HOLMIUM | (Citation: Microsoft Holmium June 2020) |
Peach Sandstorm | (Citation: Microsoft Threat Actor Naming July 2023) |
Elfin | (Citation: Symantec Elfin Mar 2019) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
APT33 has used HTTP for command and control.(Citation: Symantec Elfin Mar 2019) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
APT33 has used WinRAR to compress data prior to exfil.(Citation: Symantec Elfin Mar 2019) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.(Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020) |
Enterprise | T1110 | .003 | Brute Force: Password Spraying |
APT33 has used password spraying to gain access to target systems.(Citation: FireEye APT33 Guardrail)(Citation: Microsoft Holmium June 2020) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
APT33 has utilized PowerShell to download files from the C2 server and run various scripts. (Citation: Symantec Elfin Mar 2019)(Citation: Microsoft Holmium June 2020) |
.005 | Command and Scripting Interpreter: Visual Basic |
APT33 has used VBScript to initiate the delivery of payloads.(Citation: Microsoft Holmium June 2020) |
||
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
Enterprise | T1132 | .001 | Data Encoding: Standard Encoding |
APT33 has used base64 to encode command and control traffic.(Citation: FireEye APT33 Guardrail) |
Enterprise | T1573 | .001 | Encrypted Channel: Symmetric Cryptography |
APT33 has used AES for encryption of command and control traffic.(Citation: FireEye APT33 Guardrail) |
Enterprise | T1546 | .003 | Event Triggered Execution: Windows Management Instrumentation Event Subscription |
APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.(Citation: Microsoft Holmium June 2020) |
Enterprise | T1048 | .003 | Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol |
APT33 has used FTP to exfiltrate files (separately from the C2 channel).(Citation: Symantec Elfin Mar 2019) |
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
.004 | OS Credential Dumping: LSA Secrets |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
||
.005 | OS Credential Dumping: Cached Domain Credentials |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
||
Enterprise | T1027 | .013 | Obfuscated Files or Information: Encrypted/Encoded File |
APT33 has used base64 to encode payloads.(Citation: FireEye APT33 Guardrail) |
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
APT33 has obtained and leveraged publicly-available tools for early intrusion activities.(Citation: FireEye APT33 Guardrail)(Citation: Symantec Elfin Mar 2019) |
Enterprise | T1566 | .001 | Phishing: Spearphishing Attachment |
APT33 has sent spearphishing e-mails with archive attachments.(Citation: Microsoft Holmium June 2020) |
.002 | Phishing: Spearphishing Link |
APT33 has sent spearphishing emails containing links to .hta files.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
APT33 has created a scheduled task to execute a .vbe file multiple times a day.(Citation: Symantec Elfin Mar 2019) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
APT33 has used a variety of publicly available tools like LaZagne to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
.006 | Unsecured Credentials: Group Policy Preferences |
APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.(Citation: Symantec Elfin Mar 2019)(Citation: FireEye APT33 Guardrail) |
||
Enterprise | T1204 | .001 | User Execution: Malicious Link |
APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.(Citation: FireEye APT33 Sept 2017)(Citation: Symantec Elfin Mar 2019) |
.002 | User Execution: Malicious File |
APT33 has used malicious e-mail attachments to lure victims into executing malware.(Citation: Microsoft Holmium June 2020) |
||
Enterprise | T1078 | .004 | Valid Accounts: Cloud Accounts |
APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.(Citation: Microsoft Holmium June 2020) |
References
- Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019.
- Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019.
- Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020.
- Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018.
- INSIKT GROUP. (2020, January 7). Iranian Cyber Response to Death of IRGC Head Would Likely Use Reported TTPs and Previous Access. Retrieved May 22, 2024.
- O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.