# APT33 **attack.mitre.org/groups/G0064/** [APT33 is a suspected Iranian threat group that has carried out operations since at least](https://attack.mitre.org/groups/G0064) 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. [[1] [2]](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) ## ID: G0064 ⓘ ## Associated Groups: HOLMIUM, Elfin Contributors: Dragos Threat Intelligence Version: 1.4 Created: 18 April 2018 Last Modified: 23 May 2022 [Version Permalink](https://attack.mitre.org/versions/v11/groups/G0064/) [Live Version](https://attack.mitre.org/versions/v11/groups/G0064/) ## Associated Group Descriptions |Name|Description| |---|---| |HOLMIUM|[3]| |Elfin|[4]| ----- ## Techniques Used |Domain|ID|Name|Use|Col5| |---|---|---|---|---| |Enterprise|T1071|.001|Application Layer Protocol: Web Protocols|APT33 has used HTTP for command and control.[4]| |Enterprise|T1560|.001|Archive Collected Data: Archive via Utility|APT33 has used WinRAR to compress data prior to exfil.[4]| |Enterprise|T1547|.001|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder|APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.[4][3]| |Enterprise|T1110|.003|Brute Force: Password Spraying|APT33 has used password spraying to gain access to target systems.[5][3]| |Enterprise|T1059|.001|Command and Scripting Interpreter: PowerShell|APT33 has utilized PowerShell to download files from the C2 server and run various scripts. [4][3]| ----- |Domain|ID|Name|Use|Col5| |---|---|---|---|---| |||.005|Command and Scripting Interpreter: Visual Basic|APT33 has used VBScript to initiate the delivery of payloads.[3]| |Enterprise|T1555|Credentials from Password Stores|APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4] [5]|| |||.003|Credentials from Web Browsers|APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][5]| |Enterprise|T1132|.001|Data Encoding: Standard Encoding|APT33 has used base64 to encode command and control traffic.[5]| |Enterprise|T1573|.001|Encrypted Channel: Symmetric Cryptography|APT33 has used AES for encryption of command and control traffic.[5]| |Enterprise|T1546|.003|Event Triggered Execution: Windows Management Instrumentation Event Subscription|APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.[3]| ----- |Domain|ID|Name|Use|Col5| |---|---|---|---|---| |Enterprise|T1048|.003|Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol|APT33 has used FTP to exfiltrate files (separately from the C2 channel).[4]| |Enterprise|T1203|Exploitation for Client Execution|APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774). [4][3]|| |Enterprise|T1068|Exploitation for Privilege Escalation|APT33 has used a publicly available exploit for CVE-2017- 0213 to escalate privileges on a local system.[5]|| |Enterprise|T1105|Ingress Tool Transfer|APT33 has downloaded additional files and programs from its C2 server.[4][3]|| |Enterprise|T1040|Network Sniffing|APT33 has used SniffPass to collect credentials by sniffing network traffic.[4]|| |Enterprise|T1571|Non-Standard Port|APT33 has used HTTP over TCP ports 808 and 880 for command and control.[4]|| |Enterprise|T1027|Obfuscated Files or Information|APT33 has used base64 to encode payloads.[5]|| Enterprise [T1588](https://attack.mitre.org/techniques/T1588) [.002](https://attack.mitre.org/techniques/T1588/002) [Obtain Capabilities:](https://attack.mitre.org/techniques/T1588) [Tool](https://attack.mitre.org/techniques/T1588/002) [APT33 has](https://attack.mitre.org/groups/G0064) obtained and leveraged publiclyavailable tools for early intrusion [activities.[5][4]](https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html) ----- |Domain|ID|Name|Use|Col5| |---|---|---|---|---| |Enterprise|T1003|.001|OS Credential Dumping: LSASS Memory|APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.[4][5]| |||.004|OS Credential Dumping: LSA Secrets|APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][5]| |||.005|OS Credential Dumping: Cached Domain Credentials|APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][5]| |Enterprise|T1566|.001|Phishing: Spearphishing Attachment|APT33 has sent spearphishing e-mails with archive attachments.[3]| |||.002|Phishing: Spearphishing Link|APT33 has sent spearphishing emails containing links to .hta files.[1][4]| Enterprise [T1053](https://attack.mitre.org/techniques/T1053) [.005](https://attack.mitre.org/techniques/T1053/005) [Scheduled Task/Job:](https://attack.mitre.org/techniques/T1053) Scheduled Task [APT33 has](https://attack.mitre.org/groups/G0064) created a scheduled task to execute a .vbe file multiple [times a day.[4]](https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage) ----- |Domain|ID|Name|Use|Col5| |---|---|---|---|---| |Enterprise|T1552|.001|Unsecured Credentials: Credentials In Files|APT33 has used a variety of publicly available tools like LaZagne to gather credentials.[4][5]| |||.006|Unsecured Credentials: Group Policy Preferences|APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.[4][5]| |Enterprise|T1204|.001|User Execution: Malicious Link|APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[1][4]| |||.002|User Execution: Malicious File|APT33 has used malicious e-mail attachments to lure victims into executing malware.[3]| |Enterprise|T1078|Valid Accounts|APT33 has used valid accounts for initial access and privilege escalation.[2][5]|| ----- |Domain|ID|Name|Use|Col5| |---|---|---|---|---| |||.004|Cloud Accounts|APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.[3]| |ICS|T0852|Screen Capture|APT33 utilize backdoors capable of capturing screenshots once installed on a system. [6] [7]|| |ICS|T0853|Scripting|APT33 utilized PowerShell scripts to establish command and control and install files for execution. [8] [9]|| |ICS|T0865|Spearphishing Attachment|APT33 sent spear phishing emails containing links to HTML application files, which were embedded with malicious code. [6] APT33 has conducted targeted spear phishing campaigns against U.S. government agencies and private sector companies. [10]|| ## Software **ID** **Name** **References** **Techniques** [[4]](https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage) [S0129](https://attack.mitre.org/software/S0129) AutoIt [Abuse Elevation Control Mechanism:](https://attack.mitre.org/techniques/T1548) Bypass User backdoor Account Control, Command and Scripting Interpreter: [PowerShell,](https://attack.mitre.org/techniques/T1059/001) [Data Encoding:](https://attack.mitre.org/techniques/T1132) Standard Encoding, [File and Directory Discovery](https://attack.mitre.org/techniques/T1083) [[5][4]](https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html) [S0363](https://attack.mitre.org/software/S0363) [Empire](https://attack.mitre.org/software/S0363) [Abuse Elevation Control Mechanism:](https://attack.mitre.org/techniques/T1548) Bypass User Account Control, [Access Token Manipulation:](https://attack.mitre.org/techniques/T1134) [Create Process with Token,](https://attack.mitre.org/techniques/T1134/002) Access Token Manipulation: [SID-History Injection,](https://attack.mitre.org/techniques/T1134/005) Access Token |ID|Name|References|Techniques| |---|---|---|---| |S0129|AutoIt backdoor|[4]|Abuse Elevation Control Mechanism: Bypass User Account Control, Command and Scripting Interpreter: PowerShell, Data Encoding: Standard Encoding, File and Directory Discovery| ----- **ID** **Name** **References** **Techniques** Manipulation, [Account Discovery:](https://attack.mitre.org/techniques/T1087) Domain Account, [Account Discovery:](https://attack.mitre.org/techniques/T1087) [Local Account,](https://attack.mitre.org/techniques/T1087/001) [Adversary-in-the-Middle:](https://attack.mitre.org/techniques/T1557) LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: [Web Protocols,](https://attack.mitre.org/techniques/T1071/001) [Archive Collected Data,](https://attack.mitre.org/techniques/T1560) [Boot or Logon Autostart Execution:](https://attack.mitre.org/techniques/T1547) Shortcut Modification, [Boot or Logon Autostart Execution:](https://attack.mitre.org/techniques/T1547) [Registry Run Keys / Startup Folder,](https://attack.mitre.org/techniques/T1547/001) Boot or Logon Autostart Execution: [Security Support Provider,](https://attack.mitre.org/techniques/T1547/005) [Browser Bookmark Discovery,](https://attack.mitre.org/techniques/T1217) [Clipboard Data,](https://attack.mitre.org/techniques/T1115) [Command and Scripting Interpreter:](https://attack.mitre.org/techniques/T1059) Windows Command Shell, Command and Scripting Interpreter: [PowerShell,](https://attack.mitre.org/techniques/T1059/001) Command and Scripting Interpreter, [Commonly Used Port,](https://attack.mitre.org/techniques/T1043) [Create Account:](https://attack.mitre.org/techniques/T1136) [Domain Account,](https://attack.mitre.org/techniques/T1136/002) [Create Account:](https://attack.mitre.org/techniques/T1136) [Local Account,](https://attack.mitre.org/techniques/T1136/001) [Create or Modify System Process:](https://attack.mitre.org/techniques/T1543) Windows Service, [Credentials from Password Stores:](https://attack.mitre.org/techniques/T1555) [Credentials from Web Browsers,](https://attack.mitre.org/techniques/T1555/003) Domain Policy Modification: [Group Policy Modification,](https://attack.mitre.org/techniques/T1484/001) Domain Trust Discovery, [Email Collection:](https://attack.mitre.org/techniques/T1114) Local Email Collection, [Encrypted Channel:](https://attack.mitre.org/techniques/T1573) Asymmetric Cryptography, [Event Triggered Execution:](https://attack.mitre.org/techniques/T1546) [Accessibility Features,](https://attack.mitre.org/techniques/T1546/008) Exfiltration Over C2 Channel, [Exfiltration Over Web Service:](https://attack.mitre.org/techniques/T1567) Exfiltration to Code Repository, [Exfiltration Over Web Service:](https://attack.mitre.org/techniques/T1567) [Exfiltration to Cloud Storage,](https://attack.mitre.org/techniques/T1567/002) Exploitation for Privilege Escalation, Exploitation of Remote Services, [File and Directory Discovery,](https://attack.mitre.org/techniques/T1083) Group Policy Discovery, [Hijack Execution Flow:](https://attack.mitre.org/techniques/T1574) Path Interception by Unquoted Path, Hijack Execution Flow: [Dylib Hijacking,](https://attack.mitre.org/techniques/T1574/004) [Hijack Execution Flow:](https://attack.mitre.org/techniques/T1574) Path Interception by PATH Environment Variable, Hijack Execution Flow: [DLL Search Order Hijacking,](https://attack.mitre.org/techniques/T1574/001) [Hijack Execution Flow:](https://attack.mitre.org/techniques/T1574) Path Interception by Search Order Hijacking, Indicator Removal on Host: [Timestomp,](https://attack.mitre.org/techniques/T1070/006) [Ingress Tool Transfer,](https://attack.mitre.org/techniques/T1105) Input Capture: [Keylogging,](https://attack.mitre.org/techniques/T1056/001) [Input Capture:](https://attack.mitre.org/techniques/T1056) Credential API Hooking, [Native API,](https://attack.mitre.org/techniques/T1106) Network Service Discovery, [Network Share Discovery,](https://attack.mitre.org/techniques/T1135) Network Sniffing, [Obfuscated Files or Information,](https://attack.mitre.org/techniques/T1027) OS Credential Dumping: [LSASS Memory,](https://attack.mitre.org/techniques/T1003/001) Process Discovery, [Process Injection,](https://attack.mitre.org/techniques/T1055) [Remote Services:](https://attack.mitre.org/techniques/T1021) [SSH,](https://attack.mitre.org/techniques/T1021/004) [Remote Services:](https://attack.mitre.org/techniques/T1021) Distributed Component Object Model, [Scheduled Task/Job:](https://attack.mitre.org/techniques/T1053) Scheduled Task, [Screen Capture,](https://attack.mitre.org/techniques/T1113) [Software Discovery:](https://attack.mitre.org/techniques/T1518) [Security Software Discovery,](https://attack.mitre.org/techniques/T1518/001) Steal or Forge Kerberos Tickets: [Kerberoasting,](https://attack.mitre.org/techniques/T1558/003) Steal or Forge Kerberos Tickets: [Silver Ticket,](https://attack.mitre.org/techniques/T1558/002) Steal or Forge Kerberos Tickets: [Golden Ticket,](https://attack.mitre.org/techniques/T1558/001) System [Information Discovery,](https://attack.mitre.org/techniques/T1016) System Network ----- |ID|Name|References|Techniques| |---|---|---|---| ||||Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Private Keys, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation| |S0095|ftp|[4]|Commonly Used Port, Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol, Ingress Tool Transfer, Lateral Tool Transfer| |S0349|LaZagne|[4]|Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores: Keychain, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Cached Domain Credentials, OS Credential Dumping: Proc Filesystem, OS Credential Dumping: LSA Secrets, OS Credential Dumping: /etc/passwd and /etc/shadow, Unsecured Credentials: Credentials In Files| |S0002|Mimikatz|[4]|Access Token Manipulation: SID-History Injection, Account Manipulation, Boot or Logon Autostart Execution: Security Support Provider, Credentials from Password Stores: Windows Credential Manager, Credentials from Password Stores, Credentials from Password Stores: Credentials from Web Browsers, OS Credential Dumping: LSASS Memory, OS Credential Dumping: Security Account Manager, OS Credential Dumping: DCSync, OS Credential Dumping: LSA Secrets, Rogue Domain Controller, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Silver Ticket, Unsecured Credentials: Private Keys, Use Alternate Authentication Material: Pass the Ticket, Use Alternate Authentication Material: Pass the Hash| ----- **ID** **Name** **References** **Techniques** |Col1|Col2|[2]|Col4| |---|---|---|---| |S0336|NanoCore|[2]|Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Windows Command Shell, Encrypted Channel: Symmetric Cryptography, Impair Defenses: Disable or Modify System Firewall, Impair Defenses: Disable or Modify Tools, Ingress Tool Transfer, Input Capture: Keylogging, Modify Registry, Obfuscated Files or Information, System Network Configuration Discovery, Video Capture| |S0039|Net|[4]|Account Discovery: Domain Account, Account Discovery: Local Account, Create Account: Local Account, Create Account: Domain Account, Indicator Removal on Host: Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery: Domain Groups, Permission Groups Discovery: Local Groups, Remote Services: SMB/Windows Admin Shares, Remote System Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, System Time Discovery| ----- **ID** **Name** **References** **Techniques** [[1][2]](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) |S0198|NETWIRE|[1][2]|Application Layer Protocol: Web Protocols, Application Window Discovery, Archive Collected Data, Archive Collected Data: Archive via Custom Method, Automated Collection, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: XDG Autostart Entries, Boot or Logon Autostart Execution: Login Items, Command and Scripting Interpreter: PowerShell, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: Visual Basic, Command and Scripting Interpreter: Unix Shell, Create or Modify System Process: Launch Agent, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Data Staged: Local Data Staging, Encrypted Channel, Encrypted Channel: Symmetric Cryptography, File and Directory Discovery, Hide Artifacts: Hidden Files and Directories, Ingress Tool Transfer, Input Capture: Keylogging, Masquerading: Invalid Code Signature, Masquerading: Match Legitimate Name or Location, Modify Registry, Native API, Non- Application Layer Protocol, Obfuscated Files or Information: Software Packing, Obfuscated Files or Information, Phishing: Spearphishing Link, Phishing: Spearphishing Attachment, Process Discovery, Process Injection: Process Hollowing, Process Injection, Proxy, Scheduled Task/Job: Scheduled Task, Scheduled Task/Job: Cron, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, User Execution: Malicious File, User Execution: Malicious Link, Web Service| |---|---|---|---| ----- **ID** **Name** **References** **Techniques** [[5][4]](https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html) |S0378|PoshC2|[5][4]|Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Create Process with Token, Access Token Manipulation, Account Discovery: Local Account, Account Discovery: Domain Account, Adversary- in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Automated Collection, Brute Force, Domain Trust Discovery, Event Triggered Execution: Windows Management Instrumentation Event Subscription, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Input Capture: Keylogging, Network Service Discovery, Network Sniffing, OS Credential Dumping: LSASS Memory, Password Policy Discovery, Permission Groups Discovery: Local Groups, Process Injection, Proxy, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, System Services: Service Execution, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Windows Management Instrumentation| |---|---|---|---| ----- **ID** **Name** **References** **Techniques** |Col1|Col2|[5]|Col4| |---|---|---|---| |S0194|PowerSploit|[5]|Access Token Manipulation, Account Discovery: Local Account, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Boot or Logon Autostart Execution: Security Support Provider, Command and Scripting Interpreter: PowerShell, Create or Modify System Process: Windows Service, Credentials from Password Stores: Windows Credential Manager, Data from Local System, Domain Trust Discovery, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Path Interception by Unquoted Path, Input Capture: Keylogging, Obfuscated Files or Information: Indicator Removal from Tools, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Path Interception, Process Discovery, Process Injection: Dynamic- link Library Injection, Query Registry, Reflective Code Loading, Scheduled Task/Job: Scheduled Task, Screen Capture, Steal or Forge Kerberos Tickets: Kerberoasting, Unsecured Credentials: Group Policy Preferences, Unsecured Credentials: Credentials in Registry, Windows Management Instrumentation| |S0371|POWERTON|[5][3]|Application Layer Protocol: Web Protocols, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Encrypted Channel: Symmetric Cryptography, Event Triggered Execution: Windows Management Instrumentation Event Subscription, OS Credential Dumping: Security Account Manager| ----- **ID** **Name** **References** **Techniques** |Col1|Col2|[5]|Col4| |---|---|---|---| |S0192|Pupy|[5]|Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation: Token Impersonation/Theft, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data: Archive via Utility, Audio Capture, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Python, Command and Scripting Interpreter: PowerShell, Create Account: Local Account, Create Account: Domain Account, Create or Modify System Process: Systemd Service, Credentials from Password Stores: Credentials from Web Browsers, Credentials from Password Stores, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Exfiltration Over C2 Channel, File and Directory Discovery, Indicator Removal on Host: Clear Windows Event Logs, Ingress Tool Transfer, Input Capture: Keylogging, Network Service Discovery, Network Share Discovery, OS Credential Dumping: LSASS Memory, OS Credential Dumping: LSA Secrets, OS Credential Dumping: Cached Domain Credentials, Process Discovery, Process Injection: Dynamic-link Library Injection, Remote Services: Remote Desktop Protocol, Screen Capture, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, System Services: Service Execution, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Ticket, Video Capture, Virtualization/Sandbox Evasion: System Checks| |S0358|Ruler|[5][3]|Account Discovery: Email Account, Office Application Startup: Outlook Home Page, Office Application Startup: Outlook Rules, Office Application Startup: Outlook Forms| ----- **ID** **Name** **References** **Techniques** [[1]](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) [S0380](https://attack.mitre.org/software/S0380) [StoneDrill](https://attack.mitre.org/software/S0380) [Command and Scripting Interpreter:](https://attack.mitre.org/techniques/T1059) [Visual Basic,](https://attack.mitre.org/techniques/T1059/005) [Data Destruction,](https://attack.mitre.org/techniques/T1485) [Disk Wipe:](https://attack.mitre.org/techniques/T1561) [Disk Structure Wipe,](https://attack.mitre.org/techniques/T1561/002) [Disk Wipe:](https://attack.mitre.org/techniques/T1561) [Disk Content Wipe,](https://attack.mitre.org/techniques/T1561/001) Indicator Removal on Host: [File Deletion,](https://attack.mitre.org/techniques/T1070/004) [Ingress Tool Transfer,](https://attack.mitre.org/techniques/T1105) [Obfuscated Files or Information,](https://attack.mitre.org/techniques/T1027) [Process Injection,](https://attack.mitre.org/techniques/T1055) [Query Registry,](https://attack.mitre.org/techniques/T1012) [Screen Capture,](https://attack.mitre.org/techniques/T1113) Software Discovery: [Security Software Discovery,](https://attack.mitre.org/techniques/T1518/001) System Information Discovery, [System Time Discovery,](https://attack.mitre.org/techniques/T1124) [Virtualization/Sandbox Evasion,](https://attack.mitre.org/techniques/T1497) Windows Management Instrumentation [[1][2][4]](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) [S0199](https://attack.mitre.org/software/S0199) [TURNEDUP](https://attack.mitre.org/software/S0199) [Boot or Logon Autostart Execution:](https://attack.mitre.org/techniques/T1547) Registry Run Keys / Startup Folder, Command and Scripting Interpreter: [Windows Command Shell,](https://attack.mitre.org/techniques/T1059/003) Ingress Tool Transfer, [Process Injection:](https://attack.mitre.org/techniques/T1055) Asynchronous Procedure Call, [Screen Capture,](https://attack.mitre.org/techniques/T1113) System Information Discovery ## References O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 [Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) February 15, 2018. Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. Microsoft Threat Protection [Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack](https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/) chains from cloud to endpoint. Retrieved June 22, 2020. Security Response attack [Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple](https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage) Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. Ackerman, G., et al. [(2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary.](https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html) Retrieved January 17, 2019. Jacqueline O'Leary et al. 2017, September 20 Insights into [Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to](https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html) Destructive Malware Retrieved. 2019/12/02 Junnosuke Yagi 2017, March 07 Trojan.Stonedrill Retrieved. 2019/12/05 Symantec 2019, March 27 Elfin: Relentless [Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S. Retrieved.](https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage) 2019/12/02 Dragos Symantec 2019, March 27 Elfin: Relentless Espionage Group Targets [Multiple Organizations in Saudi Arabia and U.S. Retrieved. 2019/12/02 Magnallium](https://dragos.com/resource/magnallium/) Retrieved. 2019/10/27 Andy Greenburg 2019, June 20 Iranian Hackers Launch a New USTargeted Campaign as Tensions Mount Retrieved. 2020/01/03 |Col1|Col2|[1]|Col4| |---|---|---|---| |S0380|StoneDrill|[1]|Command and Scripting Interpreter: Visual Basic, Data Destruction, Disk Wipe: Disk Structure Wipe, Disk Wipe: Disk Content Wipe, Indicator Removal on Host: File Deletion, Ingress Tool Transfer, Obfuscated Files or Information, Process Injection, Query Registry, Screen Capture, Software Discovery: Security Software Discovery, System Information Discovery, System Time Discovery, Virtualization/Sandbox Evasion, Windows Management Instrumentation| |S0199|TURNEDUP|[1][2][4]|Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Command and Scripting Interpreter: Windows Command Shell, Ingress Tool Transfer, Process Injection: Asynchronous Procedure Call, Screen Capture, System Information Discovery| -----