Description
[Stealth Falcon](https://attack.mitre.org/groups/G0038) is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)
Techniques Used (TTPs)
- T1555.004 — Windows Credential Manager (credential-access)
- T1059 — Command and Scripting Interpreter (execution)
- T1555.003 — Credentials from Web Browsers (credential-access)
- T1555 — Credentials from Password Stores (credential-access)
- T1057 — Process Discovery (discovery)
- T1016 — System Network Configuration Discovery (discovery)
- T1573.001 — Symmetric Cryptography (command-and-control)
- T1012 — Query Registry (discovery)
- T1071.001 — Web Protocols (command-and-control)
- T1033 — System Owner/User Discovery (discovery)
- T1047 — Windows Management Instrumentation (execution)
- T1005 — Data from Local System (collection)
- T1041 — Exfiltration Over C2 Channel (exfiltration)
- T1059.001 — PowerShell (execution)
- T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
- T1082 — System Information Discovery (discovery)
Total TTPs: 16