APT33 | APT Profile

Description

[APT33](https://attack.mitre.org/groups/G0064) is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.(Citation: FireEye APT33 Sept 2017)(Citation: FireEye APT33 Webinar Sept 2017)

Techniques Used (TTPs)

T1552.001 — Credentials In Files (credential-access)
T1003.005 — Cached Domain Credentials (credential-access)
T1560.001 — Archive via Utility (collection)
T1555.003 — Credentials from Web Browsers (credential-access)
T1552.006 — Group Policy Preferences (credential-access)
T1027.013 — Encrypted/Encoded File (defense-evasion)
T1566.001 — Spearphishing Attachment (initial-access)
T1003.001 — LSASS Memory (credential-access)
T1566.002 — Spearphishing Link (initial-access)
T1110.003 — Password Spraying (credential-access)
T1003.004 — LSA Secrets (credential-access)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1555 — Credentials from Password Stores (credential-access)
T1546.003 — Windows Management Instrumentation Event Subscription (privilege-escalation, persistence)
T1105 — Ingress Tool Transfer (command-and-control)
T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (exfiltration)
T1588.002 — Tool (resource-development)
T1040 — Network Sniffing (credential-access, discovery)
T1071.001 — Web Protocols (command-and-control)
T1059.001 — PowerShell (execution)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1573.001 — Symmetric Cryptography (command-and-control)
T1059.005 — Visual Basic (execution)
T1132.001 — Standard Encoding (command-and-control)
T1571 — Non-Standard Port (command-and-control)
T1078.004 — Cloud Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1203 — Exploitation for Client Execution (execution)
T1204.002 — Malicious File (execution)
T1204.001 — Malicious Link (execution)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)

Total TTPs: 31

Malware & Tools

Malware: AutoIt backdoor, DEADWOOD, NETWIRE, NanoCore, POWERTON, StoneDrill, TURNEDUP

Tools: Empire, LaZagne, Mimikatz, Net, PoshC2, PowerSploit, Pupy, Ruler, ftp

← Return to Home ← Back to APT Search