Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

MuddyWater

MuddyWater is an Iranian threat group that has primarily targeted Middle Eastern nations. Activity from this group was previously linked to FIN7, but is believed to be a distinct group motivated by espionage. [1]

ID: G0069
Aliases: MuddyWater, TEMP.Zagros
Version: 1.0

Alias Descriptions

NameDescription
MuddyWater[1]
TEMP.Zagros[2]

Techniques Used

DomainIDNameUse
EnterpriseT1191CMSTPMuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.[2]
EnterpriseT1003Credential DumpingMuddyWater has performed credential dumping with Mimikatz and Lazagne.[1]
EnterpriseT1140Deobfuscate/Decode Files or InformationMuddyWater decoded base64-encoded PowerShell commands using a VBS file.[2][3]
EnterpriseT1036MasqueradingMuddyWater has used filenames and Registry key names associated with Windows Defender.[2]
EnterpriseT1170MshtaMuddyWater has used Mshta.exe to execute its POWERSTATS payload.[2]
EnterpriseT1027Obfuscated Files or InformationMuddyWater has used Daniel Bohannon’s Invoke-Obfuscation framework. The group also used files with base64 encoded PowerShell commands.[1][4][2]
EnterpriseT1086PowerShellMuddyWater has used PowerShell for execution.[2][3]
EnterpriseT1060Registry Run Keys / Startup FolderMuddyWater has added Registry Run keys to establish persistence.[2]
EnterpriseT1064ScriptingMuddyWater has used VBScript and JavaScript files to execute its POWERSTATS payload.[2][3]
EnterpriseT1193Spearphishing AttachmentMuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.[1][2]
EnterpriseT1204User ExecutionMuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.[1][2]

Software

IDNameTechniques
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0223POWERSTATSAccount Discovery, Commonly Used Port, Connection Proxy, Data Encoding, Data from Local System, Disabling Security Tools, Distributed Component Object Model, Dynamic Data Exchange, File Deletion, Mshta, Obfuscated Files or Information, PowerShell, Remote File Copy, Scheduled Transfer, Screen Capture, Security Software Discovery, Standard Cryptographic Protocol, System Information Discovery, System Network Configuration Discovery, Uncommonly Used Port, Windows Management Instrumentation

References