<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>APT33, HOLMIUM, Elfin, Group G0064 | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div class="group-nav-desktop-view"> <span class="heading" id="v-home-tab" aria-selected="false">GROUPS</span> <div class="sidenav"> <div class="sidenav-head" id="0-0"> <a href="/versions/v9/groups/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="admin@338-admin@338"> <a href="/versions/v9/groups/G0018/"> admin@338 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ajax Security Team-Ajax Security Team"> <a href="/versions/v9/groups/G0130/"> Ajax Security Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT-C-36-APT-C-36"> <a href="/versions/v9/groups/G0099/"> APT-C-36 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT1-APT1"> <a href="/versions/v9/groups/G0006/"> APT1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT12-APT12"> <a href="/versions/v9/groups/G0005/"> APT12 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT16-APT16"> <a href="/versions/v9/groups/G0023/"> APT16 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT17-APT17"> <a href="/versions/v9/groups/G0025/"> APT17 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT18-APT18"> <a href="/versions/v9/groups/G0026/"> APT18 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT19-APT19"> <a href="/versions/v9/groups/G0073/"> APT19 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT28-APT28"> <a href="/versions/v9/groups/G0007/"> APT28 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT29-APT29"> <a href="/versions/v9/groups/G0016/"> APT29 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT3-APT3"> <a href="/versions/v9/groups/G0022/"> APT3 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT30-APT30"> <a href="/versions/v9/groups/G0013/"> APT30 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT32-APT32"> <a href="/versions/v9/groups/G0050/"> APT32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="APT33-APT33"> <a href="/versions/v9/groups/G0064/"> APT33 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT37-APT37"> <a href="/versions/v9/groups/G0067/"> APT37 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT38-APT38"> <a href="/versions/v9/groups/G0082/"> APT38 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT39-APT39"> <a href="/versions/v9/groups/G0087/"> APT39 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="APT41-APT41"> <a href="/versions/v9/groups/G0096/"> APT41 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Axiom-Axiom"> <a href="/versions/v9/groups/G0001/"> Axiom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackOasis-BlackOasis"> <a href="/versions/v9/groups/G0063/"> BlackOasis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BlackTech-BlackTech"> <a href="/versions/v9/groups/G0098/"> BlackTech </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Blue Mockingbird-Blue Mockingbird"> <a href="/versions/v9/groups/G0108/"> Blue Mockingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Bouncing Golf-Bouncing Golf"> <a href="/versions/v9/groups/G0097/"> Bouncing Golf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="BRONZE BUTLER-BRONZE BUTLER"> <a href="/versions/v9/groups/G0060/"> BRONZE BUTLER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Carbanak-Carbanak"> <a href="/versions/v9/groups/G0008/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Chimera-Chimera"> <a href="/versions/v9/groups/G0114/"> Chimera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cleaver-Cleaver"> <a href="/versions/v9/groups/G0003/"> Cleaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Cobalt Group-Cobalt Group"> <a href="/versions/v9/groups/G0080/"> Cobalt Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="CopyKittens-CopyKittens"> <a href="/versions/v9/groups/G0052/"> CopyKittens </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dark Caracal-Dark Caracal"> <a href="/versions/v9/groups/G0070/"> Dark Caracal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Darkhotel-Darkhotel"> <a href="/versions/v9/groups/G0012/"> Darkhotel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkHydrus-DarkHydrus"> <a href="/versions/v9/groups/G0079/"> DarkHydrus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DarkVishnya-DarkVishnya"> <a href="/versions/v9/groups/G0105/"> DarkVishnya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Deep Panda-Deep Panda"> <a href="/versions/v9/groups/G0009/"> Deep Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dragonfly-Dragonfly"> <a href="/versions/v9/groups/G0035/"> Dragonfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dragonfly 2.0-Dragonfly 2.0"> <a href="/versions/v9/groups/G0074/"> Dragonfly 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="DragonOK-DragonOK"> <a href="/versions/v9/groups/G0017/"> DragonOK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Dust Storm-Dust Storm"> <a href="/versions/v9/groups/G0031/"> Dust Storm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Elderwood-Elderwood"> <a href="/versions/v9/groups/G0066/"> Elderwood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Equation-Equation"> <a href="/versions/v9/groups/G0020/"> Equation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Evilnum-Evilnum"> <a href="/versions/v9/groups/G0120/"> Evilnum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN10-FIN10"> <a href="/versions/v9/groups/G0051/"> FIN10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN4-FIN4"> <a href="/versions/v9/groups/G0085/"> FIN4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN5-FIN5"> <a href="/versions/v9/groups/G0053/"> FIN5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN6-FIN6"> <a href="/versions/v9/groups/G0037/"> FIN6 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN7-FIN7"> <a href="/versions/v9/groups/G0046/"> FIN7 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="FIN8-FIN8"> <a href="/versions/v9/groups/G0061/"> FIN8 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Fox Kitten-Fox Kitten"> <a href="/versions/v9/groups/G0117/"> Fox Kitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Frankenstein-Frankenstein"> <a href="/versions/v9/groups/G0101/"> Frankenstein </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GALLIUM-GALLIUM"> <a href="/versions/v9/groups/G0093/"> GALLIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gallmaker-Gallmaker"> <a href="/versions/v9/groups/G0084/"> Gallmaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gamaredon Group-Gamaredon Group"> <a href="/versions/v9/groups/G0047/"> Gamaredon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GCMAN-GCMAN"> <a href="/versions/v9/groups/G0036/"> GCMAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="GOLD SOUTHFIELD-GOLD SOUTHFIELD"> <a href="/versions/v9/groups/G0115/"> GOLD SOUTHFIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Gorgon Group-Gorgon Group"> <a href="/versions/v9/groups/G0078/"> Gorgon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Group5-Group5"> <a href="/versions/v9/groups/G0043/"> Group5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="HAFNIUM-HAFNIUM"> <a href="/versions/v9/groups/G0125/"> HAFNIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Higaisa-Higaisa"> <a href="/versions/v9/groups/G0126/"> Higaisa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Honeybee-Honeybee"> <a href="/versions/v9/groups/G0072/"> Honeybee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Inception-Inception"> <a href="/versions/v9/groups/G0100/"> Inception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Indrik Spider-Indrik Spider"> <a href="/versions/v9/groups/G0119/"> Indrik Spider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Ke3chang-Ke3chang"> <a href="/versions/v9/groups/G0004/"> Ke3chang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Kimsuky-Kimsuky"> <a href="/versions/v9/groups/G0094/"> Kimsuky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lazarus Group-Lazarus Group"> <a href="/versions/v9/groups/G0032/"> Lazarus Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Leafminer-Leafminer"> <a href="/versions/v9/groups/G0077/"> Leafminer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Leviathan-Leviathan"> <a href="/versions/v9/groups/G0065/"> Leviathan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Lotus Blossom-Lotus Blossom"> <a href="/versions/v9/groups/G0030/"> Lotus Blossom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Machete-Machete"> <a href="/versions/v9/groups/G0095/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Magic Hound-Magic Hound"> <a href="/versions/v9/groups/G0059/"> Magic Hound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="menuPass-menuPass"> <a href="/versions/v9/groups/G0045/"> menuPass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Moafee-Moafee"> <a href="/versions/v9/groups/G0002/"> Moafee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mofang-Mofang"> <a href="/versions/v9/groups/G0103/"> Mofang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Molerats-Molerats"> <a href="/versions/v9/groups/G0021/"> Molerats </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="MuddyWater-MuddyWater"> <a href="/versions/v9/groups/G0069/"> MuddyWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Mustang Panda-Mustang Panda"> <a href="/versions/v9/groups/G0129/"> Mustang Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Naikon-Naikon"> <a href="/versions/v9/groups/G0019/"> Naikon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="NEODYMIUM-NEODYMIUM"> <a href="/versions/v9/groups/G0055/"> NEODYMIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Night Dragon-Night Dragon"> <a href="/versions/v9/groups/G0014/"> Night Dragon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="OilRig-OilRig"> <a href="/versions/v9/groups/G0049/"> OilRig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Operation Wocao-Operation Wocao"> <a href="/versions/v9/groups/G0116/"> Operation Wocao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Orangeworm-Orangeworm"> <a href="/versions/v9/groups/G0071/"> Orangeworm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Patchwork-Patchwork"> <a href="/versions/v9/groups/G0040/"> Patchwork </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PittyTiger-PittyTiger"> <a href="/versions/v9/groups/G0011/"> PittyTiger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PLATINUM-PLATINUM"> <a href="/versions/v9/groups/G0068/"> PLATINUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Poseidon Group-Poseidon Group"> <a href="/versions/v9/groups/G0033/"> Poseidon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="PROMETHIUM-PROMETHIUM"> <a href="/versions/v9/groups/G0056/"> PROMETHIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Putter Panda-Putter Panda"> <a href="/versions/v9/groups/G0024/"> Putter Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rancor-Rancor"> <a href="/versions/v9/groups/G0075/"> Rancor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Rocke-Rocke"> <a href="/versions/v9/groups/G0106/"> Rocke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="RTM-RTM"> <a href="/versions/v9/groups/G0048/"> RTM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sandworm Team-Sandworm Team"> <a href="/versions/v9/groups/G0034/"> Sandworm Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Scarlet Mimic-Scarlet Mimic"> <a href="/versions/v9/groups/G0029/"> Scarlet Mimic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sharpshooter-Sharpshooter"> <a href="/versions/v9/groups/G0104/"> Sharpshooter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sidewinder-Sidewinder"> <a href="/versions/v9/groups/G0121/"> Sidewinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Silence-Silence"> <a href="/versions/v9/groups/G0091/"> Silence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Silent Librarian-Silent Librarian"> <a href="/versions/v9/groups/G0122/"> Silent Librarian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="SilverTerrier-SilverTerrier"> <a href="/versions/v9/groups/G0083/"> SilverTerrier </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Sowbug-Sowbug"> <a href="/versions/v9/groups/G0054/"> Sowbug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stealth Falcon-Stealth Falcon"> <a href="/versions/v9/groups/G0038/"> Stealth Falcon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Stolen Pencil-Stolen Pencil"> <a href="/versions/v9/groups/G0086/"> Stolen Pencil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Strider-Strider"> <a href="/versions/v9/groups/G0041/"> Strider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Suckfly-Suckfly"> <a href="/versions/v9/groups/G0039/"> Suckfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA459-TA459"> <a href="/versions/v9/groups/G0062/"> TA459 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA505-TA505"> <a href="/versions/v9/groups/G0092/"> TA505 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TA551-TA551"> <a href="/versions/v9/groups/G0127/"> TA551 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Taidoor-Taidoor"> <a href="/versions/v9/groups/G0015/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="TEMP.Veles-TEMP.Veles"> <a href="/versions/v9/groups/G0088/"> TEMP.Veles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="The White Company-The White Company"> <a href="/versions/v9/groups/G0089/"> The White Company </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Threat Group-1314-Threat Group-1314"> <a href="/versions/v9/groups/G0028/"> Threat Group-1314 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Threat Group-3390-Threat Group-3390"> <a href="/versions/v9/groups/G0027/"> Threat Group-3390 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Thrip-Thrip"> <a href="/versions/v9/groups/G0076/"> Thrip </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Tropic Trooper-Tropic Trooper"> <a href="/versions/v9/groups/G0081/"> Tropic Trooper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Turla-Turla"> <a href="/versions/v9/groups/G0010/"> Turla </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Volatile Cedar-Volatile Cedar"> <a href="/versions/v9/groups/G0123/"> Volatile Cedar </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Whitefly-Whitefly"> <a href="/versions/v9/groups/G0107/"> Whitefly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windigo-Windigo"> <a href="/versions/v9/groups/G0124/"> Windigo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Windshift-Windshift"> <a href="/versions/v9/groups/G0112/"> Windshift </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Winnti Group-Winnti Group"> <a href="/versions/v9/groups/G0044/"> Winnti Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="WIRTE-WIRTE"> <a href="/versions/v9/groups/G0090/"> WIRTE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="Wizard Spider-Wizard Spider"> <a href="/versions/v9/groups/G0102/"> Wizard Spider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="ZIRCONIUM-ZIRCONIUM"> <a href="/versions/v9/groups/G0128/"> ZIRCONIUM </a> </div> </div> </div> <div class="group-nav-mobile-view"> <span class="heading" id="v-home-tab" aria-selected="false">GROUPS</span> <div class="sidenav"> <div class="sidenav-head" id="0-0"> <a href="/versions/v9/groups/"> Overview </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9bc10ab42f5041809586a8061be87f54"> <span>A-B</span> <div class="expand-button collapsed" id="9bc10ab42f5041809586a8061be87f54-header" data-toggle="collapse" data-target="#9bc10ab42f5041809586a8061be87f54-body" aria-expanded="false" aria-controls="#9bc10ab42f5041809586a8061be87f54-body"></div> </div> <div class="sidenav-body collapse" id="9bc10ab42f5041809586a8061be87f54-body" aria-labelledby="9bc10ab42f5041809586a8061be87f54-header"> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-eb897c1f5ad6440c8f00aec9a67b84c6"> <a href="/versions/v9/groups/G0018/"> admin@338 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-8fd5ab8725924d97ba0b2eba004f2fee"> <a href="/versions/v9/groups/G0130/"> Ajax Security Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-c32bf624d6bf42ce95707467e8b90269"> <a href="/versions/v9/groups/G0099/"> APT-C-36 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-0c3154fe96b343078274c0dc2f23dda1"> <a href="/versions/v9/groups/G0006/"> APT1 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-843a69656c2b482bb3b10d76f7c6e16f"> <a href="/versions/v9/groups/G0005/"> APT12 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-1ab49126b7894fcfae69deeac14618fc"> <a href="/versions/v9/groups/G0023/"> APT16 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f88228946e41453e92e38c5866a4212f"> <a href="/versions/v9/groups/G0025/"> APT17 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-26f2dc710f78450dbbc1be11faa21ddd"> <a href="/versions/v9/groups/G0026/"> APT18 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-1fdff936c860439ebe70a7ff3be5989d"> <a href="/versions/v9/groups/G0073/"> APT19 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-fb8607b2690341d89cde7ca7a69c91c6"> <a href="/versions/v9/groups/G0007/"> APT28 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-9e54c5fbd52e4859b9fc4fcf11335e4c"> <a href="/versions/v9/groups/G0016/"> APT29 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-3a223da5b87447f0bbd859a5bba79ce0"> <a href="/versions/v9/groups/G0022/"> APT3 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-0fc20a27442549099f96a0595e939e69"> <a href="/versions/v9/groups/G0013/"> APT30 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-311b6fd499004f0ab3c936b9a5db4817"> <a href="/versions/v9/groups/G0050/"> APT32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="9bc10ab42f5041809586a8061be87f54-f2d9fa39e41344d3bb3e0d64ba14a219"> <a href="/versions/v9/groups/G0064/"> APT33 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-4706e13c21cf48e59061dbbaab2ecc84"> <a href="/versions/v9/groups/G0067/"> APT37 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-080b6603df0c41b394986e93492c6baa"> <a href="/versions/v9/groups/G0082/"> APT38 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-4df65ad27985448e8d0570867a13bf45"> <a href="/versions/v9/groups/G0087/"> APT39 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-06a4b5899d3549e3aa5e4d4ac0adc511"> <a href="/versions/v9/groups/G0096/"> APT41 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-f1cd11a66db84516a3520405067f85dc"> <a href="/versions/v9/groups/G0001/"> Axiom </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-5fc1a029befe48b587d4dece1a6bfeeb"> <a href="/versions/v9/groups/G0063/"> BlackOasis </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-7d8f8060918143018a61b7d75fae5d61"> <a href="/versions/v9/groups/G0098/"> BlackTech </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-3c28366e21404f609b54930888771a75"> <a href="/versions/v9/groups/G0108/"> Blue Mockingbird </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-b83df494e0cf43a7a348dcfe001722de"> <a href="/versions/v9/groups/G0097/"> Bouncing Golf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9bc10ab42f5041809586a8061be87f54-8080a2475195401ab077c1180ab335bb"> <a href="/versions/v9/groups/G0060/"> BRONZE BUTLER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="c9652acf849c48b6b237f8b1ebf4fe78"> <span>C-D</span> <div class="expand-button collapsed" id="c9652acf849c48b6b237f8b1ebf4fe78-header" data-toggle="collapse" data-target="#c9652acf849c48b6b237f8b1ebf4fe78-body" aria-expanded="false" aria-controls="#c9652acf849c48b6b237f8b1ebf4fe78-body"></div> </div> <div class="sidenav-body collapse" id="c9652acf849c48b6b237f8b1ebf4fe78-body" aria-labelledby="c9652acf849c48b6b237f8b1ebf4fe78-header"> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-db8b931f952d412e9d12e18c2c6681fc"> <a href="/versions/v9/groups/G0008/"> Carbanak </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-f3581612c373478bad1829f9b42d6481"> <a href="/versions/v9/groups/G0114/"> Chimera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-dd4c80e77f3e489eb664554c42cdd0ab"> <a href="/versions/v9/groups/G0003/"> Cleaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-b1e7f8f3bf7d4258b62f192b87703106"> <a href="/versions/v9/groups/G0080/"> Cobalt Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-1d8331b206264aa0bd4524d9de1ef598"> <a href="/versions/v9/groups/G0052/"> CopyKittens </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-147b48ccc2654c4fb25185883229826b"> <a href="/versions/v9/groups/G0070/"> Dark Caracal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-634f2cae3e0442dba2d09fc987e39e6d"> <a href="/versions/v9/groups/G0012/"> Darkhotel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-50e56472a5ed4f6195061236a3fb3d00"> <a href="/versions/v9/groups/G0079/"> DarkHydrus </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-08a60dc295e846d89694ff96717072b6"> <a href="/versions/v9/groups/G0105/"> DarkVishnya </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-15a1180154b449aa9c27c65a46dc074b"> <a href="/versions/v9/groups/G0009/"> Deep Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-995ee427b54e4a9aae324ad3f081b0db"> <a href="/versions/v9/groups/G0035/"> Dragonfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-41c57f3ed8b240c0a8c6120a2652495c"> <a href="/versions/v9/groups/G0074/"> Dragonfly 2.0 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-8b316a89b77e4e7f837bd4b1f4fad10c"> <a href="/versions/v9/groups/G0017/"> DragonOK </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="c9652acf849c48b6b237f8b1ebf4fe78-a4100800c4f1428bbbe2540845511483"> <a href="/versions/v9/groups/G0031/"> Dust Storm </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9f2eecc86c504f9eabd959d63728aaa1"> <span>E-F</span> <div class="expand-button collapsed" id="9f2eecc86c504f9eabd959d63728aaa1-header" data-toggle="collapse" data-target="#9f2eecc86c504f9eabd959d63728aaa1-body" aria-expanded="false" aria-controls="#9f2eecc86c504f9eabd959d63728aaa1-body"></div> </div> <div class="sidenav-body collapse" id="9f2eecc86c504f9eabd959d63728aaa1-body" aria-labelledby="9f2eecc86c504f9eabd959d63728aaa1-header"> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-59ce950244e04dbc8dba513a6a773287"> <a href="/versions/v9/groups/G0066/"> Elderwood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-0cba5b5ed65b4029be092df210cff9aa"> <a href="/versions/v9/groups/G0020/"> Equation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-3f10859e19074cfb95f376c246350cc5"> <a href="/versions/v9/groups/G0120/"> Evilnum </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-0842ff6a6e21414ba8f475a9bb395a7c"> <a href="/versions/v9/groups/G0051/"> FIN10 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-7b7338533d7b4c54bc0ef9eaf4d1a251"> <a href="/versions/v9/groups/G0085/"> FIN4 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-6af19e38aa4d4b57b5c0606f5a7e8391"> <a href="/versions/v9/groups/G0053/"> FIN5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-6464cb233f6f4c53b1ab5db10f23a210"> <a href="/versions/v9/groups/G0037/"> FIN6 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-48bd3bce115544c5952947533d0b60a3"> <a href="/versions/v9/groups/G0046/"> FIN7 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-372710aab0084f3c8aba309b6ef2d212"> <a href="/versions/v9/groups/G0061/"> FIN8 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-b8594e11427448c3a8224726c17cd747"> <a href="/versions/v9/groups/G0117/"> Fox Kitten </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9f2eecc86c504f9eabd959d63728aaa1-e33946268c9c4844bfcde0970048b263"> <a href="/versions/v9/groups/G0101/"> Frankenstein </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="7f34b9e0316841f8b1c5533bc278a8d4"> <span>G-H</span> <div class="expand-button collapsed" id="7f34b9e0316841f8b1c5533bc278a8d4-header" data-toggle="collapse" data-target="#7f34b9e0316841f8b1c5533bc278a8d4-body" aria-expanded="false" aria-controls="#7f34b9e0316841f8b1c5533bc278a8d4-body"></div> </div> <div class="sidenav-body collapse" id="7f34b9e0316841f8b1c5533bc278a8d4-body" aria-labelledby="7f34b9e0316841f8b1c5533bc278a8d4-header"> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-4b7069ae092f469582d5726f70b96eb1"> <a href="/versions/v9/groups/G0093/"> GALLIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-db030a3ae5d3425e8cc3ccf2cfb84f3b"> <a href="/versions/v9/groups/G0084/"> Gallmaker </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-1bebf0070465403494974a0af6d52786"> <a href="/versions/v9/groups/G0047/"> Gamaredon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-f69559b91b06468eb923b635e71bcede"> <a href="/versions/v9/groups/G0036/"> GCMAN </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-f4789813e37546e89840f110bdcafdba"> <a href="/versions/v9/groups/G0115/"> GOLD SOUTHFIELD </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-c4e44253bd5b4a829356d7689056c55f"> <a href="/versions/v9/groups/G0078/"> Gorgon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-16adea168fef439786f2d924ab908d83"> <a href="/versions/v9/groups/G0043/"> Group5 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-ccffcc3471bf43b5946a606b0a4b9b1a"> <a href="/versions/v9/groups/G0125/"> HAFNIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-a887df3159bc46088852185e877d7b11"> <a href="/versions/v9/groups/G0126/"> Higaisa </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="7f34b9e0316841f8b1c5533bc278a8d4-82b66952833942b781e7d85766e990f8"> <a href="/versions/v9/groups/G0072/"> Honeybee </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="69cb6ac7c257408dbc2b1f5e09965b3f"> <span>I-J</span> <div class="expand-button collapsed" id="69cb6ac7c257408dbc2b1f5e09965b3f-header" data-toggle="collapse" data-target="#69cb6ac7c257408dbc2b1f5e09965b3f-body" aria-expanded="false" aria-controls="#69cb6ac7c257408dbc2b1f5e09965b3f-body"></div> </div> <div class="sidenav-body collapse" id="69cb6ac7c257408dbc2b1f5e09965b3f-body" aria-labelledby="69cb6ac7c257408dbc2b1f5e09965b3f-header"> <div class="sidenav"> <div class="sidenav-head" id="69cb6ac7c257408dbc2b1f5e09965b3f-e0f25da1e47241ed9003cf925c208671"> <a href="/versions/v9/groups/G0100/"> Inception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="69cb6ac7c257408dbc2b1f5e09965b3f-2bcf49313dcf44908e4b514a118ec380"> <a href="/versions/v9/groups/G0119/"> Indrik Spider </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="cdc4d061012c45d89f82f0ccefd42bbb"> <span>K-L</span> <div class="expand-button collapsed" id="cdc4d061012c45d89f82f0ccefd42bbb-header" data-toggle="collapse" data-target="#cdc4d061012c45d89f82f0ccefd42bbb-body" aria-expanded="false" aria-controls="#cdc4d061012c45d89f82f0ccefd42bbb-body"></div> </div> <div class="sidenav-body collapse" id="cdc4d061012c45d89f82f0ccefd42bbb-body" aria-labelledby="cdc4d061012c45d89f82f0ccefd42bbb-header"> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-61494339efa24892b74cb1bab727ebab"> <a href="/versions/v9/groups/G0004/"> Ke3chang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-7fcbe0dbfca64881b3d90886fa02a057"> <a href="/versions/v9/groups/G0094/"> Kimsuky </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-bdb1c87e10124497bc426a32b425de37"> <a href="/versions/v9/groups/G0032/"> Lazarus Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-26f389bcb54744a2a88e3d8b14ebb187"> <a href="/versions/v9/groups/G0077/"> Leafminer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-01a297ae43e24d27b48dc26f67588c57"> <a href="/versions/v9/groups/G0065/"> Leviathan </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="cdc4d061012c45d89f82f0ccefd42bbb-0173fd0276f24cb2addbf1d49af106f1"> <a href="/versions/v9/groups/G0030/"> Lotus Blossom </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="8bba62bbe3cf487eb3d0e1324d5ea3a7"> <span>M-N</span> <div class="expand-button collapsed" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-header" data-toggle="collapse" data-target="#8bba62bbe3cf487eb3d0e1324d5ea3a7-body" aria-expanded="false" aria-controls="#8bba62bbe3cf487eb3d0e1324d5ea3a7-body"></div> </div> <div class="sidenav-body collapse" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-body" aria-labelledby="8bba62bbe3cf487eb3d0e1324d5ea3a7-header"> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-8edbdbed90584c03b70fc818644a5185"> <a href="/versions/v9/groups/G0095/"> Machete </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-e84a7ed3b84b4dcfb01df20449c1064d"> <a href="/versions/v9/groups/G0059/"> Magic Hound </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-af944ff295644b2db8f5215c30425187"> <a href="/versions/v9/groups/G0045/"> menuPass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-76aa410923384ac0b07fab724da445b6"> <a href="/versions/v9/groups/G0002/"> Moafee </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-31eff51171d14109ab2ed1ebeb118bbe"> <a href="/versions/v9/groups/G0103/"> Mofang </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-125859f5afd244758c04d908faabd932"> <a href="/versions/v9/groups/G0021/"> Molerats </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-7e1535d22fd949e9a58bafd020550df3"> <a href="/versions/v9/groups/G0069/"> MuddyWater </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-615d6fbe25804bd68bd2f4a1107d920b"> <a href="/versions/v9/groups/G0129/"> Mustang Panda </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-73fa70a5a9cb4c5689c7526e4f66081d"> <a href="/versions/v9/groups/G0019/"> Naikon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-375acf3b572244a08b896bf8466d0a00"> <a href="/versions/v9/groups/G0055/"> NEODYMIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="8bba62bbe3cf487eb3d0e1324d5ea3a7-5eb93e7b5ae146c5b46a5d21fe03a4a7"> <a href="/versions/v9/groups/G0014/"> Night Dragon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="0ca8ff8ba9024fe09ea2afc61a952501"> <span>O-P</span> <div class="expand-button collapsed" id="0ca8ff8ba9024fe09ea2afc61a952501-header" data-toggle="collapse" data-target="#0ca8ff8ba9024fe09ea2afc61a952501-body" aria-expanded="false" aria-controls="#0ca8ff8ba9024fe09ea2afc61a952501-body"></div> </div> <div class="sidenav-body collapse" id="0ca8ff8ba9024fe09ea2afc61a952501-body" aria-labelledby="0ca8ff8ba9024fe09ea2afc61a952501-header"> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-54768326f6654fb8926eac02f28ad486"> <a href="/versions/v9/groups/G0049/"> OilRig </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-0aacbe0d942b4eb28d5d7d2476fcfd52"> <a href="/versions/v9/groups/G0116/"> Operation Wocao </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e11639e6af294e1d9b8052e5cd1e620f"> <a href="/versions/v9/groups/G0071/"> Orangeworm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-5e003492658643c897dc46152eaffcb5"> <a href="/versions/v9/groups/G0040/"> Patchwork </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e1359725d8ae4cc2a16eee5802effde5"> <a href="/versions/v9/groups/G0011/"> PittyTiger </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-1529d895bd404a2f8856099b8e8fb640"> <a href="/versions/v9/groups/G0068/"> PLATINUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-d8ce4ed2e7ce4371b8836b1ba5e2cf2d"> <a href="/versions/v9/groups/G0033/"> Poseidon Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-e9fd05a2492241b5bc7d3d99d1e5be94"> <a href="/versions/v9/groups/G0056/"> PROMETHIUM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="0ca8ff8ba9024fe09ea2afc61a952501-b2b2da56d6ef4998b5b51cadfa0e4e0f"> <a href="/versions/v9/groups/G0024/"> Putter Panda </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="9c315870cc46405688ed5b4992ea0cd9"> <span>Q-R</span> <div class="expand-button collapsed" id="9c315870cc46405688ed5b4992ea0cd9-header" data-toggle="collapse" data-target="#9c315870cc46405688ed5b4992ea0cd9-body" aria-expanded="false" aria-controls="#9c315870cc46405688ed5b4992ea0cd9-body"></div> </div> <div class="sidenav-body collapse" id="9c315870cc46405688ed5b4992ea0cd9-body" aria-labelledby="9c315870cc46405688ed5b4992ea0cd9-header"> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-ac912afa8e08410292784c628456c4dd"> <a href="/versions/v9/groups/G0075/"> Rancor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-e37a841ffc72485794a70ba7c13bc8a4"> <a href="/versions/v9/groups/G0106/"> Rocke </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="9c315870cc46405688ed5b4992ea0cd9-128de6e01a6b4412a9b684bb75248fe8"> <a href="/versions/v9/groups/G0048/"> RTM </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="87d8075c72ad40fbb19f9022ad8f64b2"> <span>S-T</span> <div class="expand-button collapsed" id="87d8075c72ad40fbb19f9022ad8f64b2-header" data-toggle="collapse" data-target="#87d8075c72ad40fbb19f9022ad8f64b2-body" aria-expanded="false" aria-controls="#87d8075c72ad40fbb19f9022ad8f64b2-body"></div> </div> <div class="sidenav-body collapse" id="87d8075c72ad40fbb19f9022ad8f64b2-body" aria-labelledby="87d8075c72ad40fbb19f9022ad8f64b2-header"> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-5016020b8dd34724af6755ba6ec71120"> <a href="/versions/v9/groups/G0034/"> Sandworm Team </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-701e7ac2250642b481d565530e3de2e1"> <a href="/versions/v9/groups/G0029/"> Scarlet Mimic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d297ba1ca5094ca594b4f9effd3d2a63"> <a href="/versions/v9/groups/G0104/"> Sharpshooter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d7375e52b3a04157a6ae508927123b95"> <a href="/versions/v9/groups/G0121/"> Sidewinder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-8722d61de36d488fbe1a5b061595fd95"> <a href="/versions/v9/groups/G0091/"> Silence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-29bbc5e7d8db40a8886ff19e83a96b41"> <a href="/versions/v9/groups/G0122/"> Silent Librarian </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a714165996ce4096b5da2a5abbed72c5"> <a href="/versions/v9/groups/G0083/"> SilverTerrier </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-ec9a3b77890f4172b18077a1efb6b0b7"> <a href="/versions/v9/groups/G0054/"> Sowbug </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a5140dc1144743179e6711320b2b6043"> <a href="/versions/v9/groups/G0038/"> Stealth Falcon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-4b045f80fec54b1db359b2c97504a3e5"> <a href="/versions/v9/groups/G0086/"> Stolen Pencil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-3e720da026d74a0da8910ff0ac0db268"> <a href="/versions/v9/groups/G0041/"> Strider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-69c24c5cfbbe4b039b26265b8b55ebb4"> <a href="/versions/v9/groups/G0039/"> Suckfly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-2825b0b754b94a25bbde6cb5d9780785"> <a href="/versions/v9/groups/G0062/"> TA459 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a79283297c4943b98dd0b22780f5def6"> <a href="/versions/v9/groups/G0092/"> TA505 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-4dd0f0bc793a4770a237e2616f0b608f"> <a href="/versions/v9/groups/G0127/"> TA551 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-43a8b490c3904cc194247d4e02fc4296"> <a href="/versions/v9/groups/G0015/"> Taidoor </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-0e740212837d485397e122344e69d4ee"> <a href="/versions/v9/groups/G0088/"> TEMP.Veles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-a03080dbde0840219c117fc3dd9251c8"> <a href="/versions/v9/groups/G0089/"> The White Company </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-bfac41f1e4ed41c18fe176cc94c5b393"> <a href="/versions/v9/groups/G0028/"> Threat Group-1314 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-68731fabd49e404c8160d82eff15b50d"> <a href="/versions/v9/groups/G0027/"> Threat Group-3390 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-23bf52c62b394f2c832876b7cea27d7a"> <a href="/versions/v9/groups/G0076/"> Thrip </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-b40e63fa8c834212b0e3769480b64496"> <a href="/versions/v9/groups/G0081/"> Tropic Trooper </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="87d8075c72ad40fbb19f9022ad8f64b2-d87018444dee40e3b3d9904f9f86521c"> <a href="/versions/v9/groups/G0010/"> Turla </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="1a50e36945244146b3675ab05250650d"> <span>U-V</span> <div class="expand-button collapsed" id="1a50e36945244146b3675ab05250650d-header" data-toggle="collapse" data-target="#1a50e36945244146b3675ab05250650d-body" aria-expanded="false" aria-controls="#1a50e36945244146b3675ab05250650d-body"></div> </div> <div class="sidenav-body collapse" id="1a50e36945244146b3675ab05250650d-body" aria-labelledby="1a50e36945244146b3675ab05250650d-header"> <div class="sidenav"> <div class="sidenav-head" id="1a50e36945244146b3675ab05250650d-cb299810c5d643f0b1de3974367e174e"> <a href="/versions/v9/groups/G0123/"> Volatile Cedar </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="4b4931e3517041d3861283faa2b8c343"> <span>W-X</span> <div class="expand-button collapsed" id="4b4931e3517041d3861283faa2b8c343-header" data-toggle="collapse" data-target="#4b4931e3517041d3861283faa2b8c343-body" aria-expanded="false" aria-controls="#4b4931e3517041d3861283faa2b8c343-body"></div> </div> <div class="sidenav-body collapse" id="4b4931e3517041d3861283faa2b8c343-body" aria-labelledby="4b4931e3517041d3861283faa2b8c343-header"> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-a11643f4cca04a36893be9e7a5ebad8f"> <a href="/versions/v9/groups/G0107/"> Whitefly </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-8215d91eca124542a1d489bd901c10d5"> <a href="/versions/v9/groups/G0124/"> Windigo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-7186929dafbe4852b778e8a357d449bf"> <a href="/versions/v9/groups/G0112/"> Windshift </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-52ba1a0a287943299fe88eac3493c514"> <a href="/versions/v9/groups/G0044/"> Winnti Group </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-93553aa3a2fd4173af460f9569c879cd"> <a href="/versions/v9/groups/G0090/"> WIRTE </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="4b4931e3517041d3861283faa2b8c343-6848e592c4ce492bbb368b79ee6e735a"> <a href="/versions/v9/groups/G0102/"> Wizard Spider </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="a5819d5e89464ffabceb17e836662294"> <span>Y-Z</span> <div class="expand-button collapsed" id="a5819d5e89464ffabceb17e836662294-header" data-toggle="collapse" data-target="#a5819d5e89464ffabceb17e836662294-body" aria-expanded="false" aria-controls="#a5819d5e89464ffabceb17e836662294-body"></div> </div> <div class="sidenav-body collapse" id="a5819d5e89464ffabceb17e836662294-body" aria-labelledby="a5819d5e89464ffabceb17e836662294-header"> <div class="sidenav"> <div class="sidenav-head" id="a5819d5e89464ffabceb17e836662294-2779946926394bc19a3c66031d634130"> <a href="/versions/v9/groups/G0128/"> ZIRCONIUM </a> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/groups/">Groups</a></li> <li class="breadcrumb-item">APT33</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> APT33 </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v9/groups/G0064">APT33</a> is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="FireEye APT33 Sept 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="FireEye APT33 Webinar Sept 2017">^{<a href="https://www.brighttalk.com/webcast/10703/275683" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G0064 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: HOLMIUM, Elfin </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 1.3 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>18 April 2018 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>01 July 2020 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0064" href="/versions/v9/groups/G0064/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0064" href="/groups/G0064/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> HOLMIUM </td> <td> <p><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> Elfin </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> </tbody> </table> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v9/groups/G0064/G0064-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v9/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v9/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0064/G0064-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3" id="techniques">Techniques Used</h2> <table class="table techniques-used table-bordered mt-2"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent" id="uses-T1071-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1071">T1071</a> </td> <td> <a href="/versions/v9/techniques/T1071/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used HTTP for command and control.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1560-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1560">T1560</a> </td> <td> <a href="/versions/v9/techniques/T1560/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v9/techniques/T1560/001">Archive via Utility</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used WinRAR to compress data prior to exfil.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </p> </td> </tr> <tr class="sub technique noparent" id="uses-T1547-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1547">T1547</a> </td> <td> <a href="/versions/v9/techniques/T1547/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has deployed a tool known as <a href="/versions/v9/software/S0334">DarkComet</a> to the Startup folder of a victim, and used Registry run keys to gain persistence.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1110-003"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1110">T1110</a> </td> <td> <a href="/versions/v9/techniques/T1110/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1110">Brute Force</a>: <a href="/versions/v9/techniques/T1110/003">Password Spraying</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used password spraying to gain access to target systems.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1059-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1059">T1059</a> </td> <td> <a href="/versions/v9/techniques/T1059/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has utilized PowerShell to download files from the C2 server and run various scripts. <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1059-005"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1059/005">.005</a> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/005">Visual Basic</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used VBScript to initiate the delivery of payloads.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1555"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1555">T1555</a> </td> <td> <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used a variety of publicly available tools like <a href="/versions/v9/software/S0349">LaZagne</a> to gather credentials.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1555-003"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1555/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used a variety of publicly available tools like <a href="/versions/v9/software/S0349">LaZagne</a> to gather credentials.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1132-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1132">T1132</a> </td> <td> <a href="/versions/v9/techniques/T1132/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1132">Data Encoding</a>: <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used base64 to encode command and control traffic.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1573-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1573">T1573</a> </td> <td> <a href="/versions/v9/techniques/T1573/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used AES for encryption of command and control traffic.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1546-003"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1546">T1546</a> </td> <td> <a href="/versions/v9/techniques/T1546/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has attempted to use WMI event subscriptions to establish persistence on compromised hosts.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1048-003"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1048">T1048</a> </td> <td> <a href="/versions/v9/techniques/T1048/003">.003</a> </td> <td> <a href="/versions/v9/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/versions/v9/techniques/T1048/003">Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used FTP to exfiltrate files (separately from the C2 channel).<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1203"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1203">T1203</a> </td> <td> <a href="/versions/v9/techniques/T1203">Exploitation for Client Execution</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1068"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1068">T1068</a> </td> <td> <a href="/versions/v9/techniques/T1068">Exploitation for Privilege Escalation</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1105"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1105">T1105</a> </td> <td> <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has downloaded additional files and programs from its C2 server.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> </p> </td> </tr> <tr class="technique" id="uses-T1040"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1040">T1040</a> </td> <td> <a href="/versions/v9/techniques/T1040">Network Sniffing</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used SniffPass to collect credentials by sniffing network traffic.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1571"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1571">T1571</a> </td> <td> <a href="/versions/v9/techniques/T1571">Non-Standard Port</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used HTTP over TCP ports 808 and 880 for command and control.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1027"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1027">T1027</a> </td> <td> <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used base64 to encode payloads.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1003-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v9/techniques/T1003/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used a variety of publicly available tools like <a href="/versions/v9/software/S0349">LaZagne</a>, <a href="/versions/v9/software/S0002">Mimikatz</a>, and ProcDump to dump credentials.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1003-004"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1003/004">.004</a> </td> <td> <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/004">LSA Secrets</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used a variety of publicly available tools like <a href="/versions/v9/software/S0349">LaZagne</a> to gather credentials.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1003-005"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1003/005">.005</a> </td> <td> <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/005">Cached Domain Credentials</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used a variety of publicly available tools like <a href="/versions/v9/software/S0349">LaZagne</a> to gather credentials.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1566-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1566">T1566</a> </td> <td> <a href="/versions/v9/techniques/T1566/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1566">Phishing</a>: <a href="/versions/v9/techniques/T1566/001">Spearphishing Attachment</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has sent spearphishing e-mails with archive attachments.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1566-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1566/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1566">Phishing</a>: <a href="/versions/v9/techniques/T1566/002">Spearphishing Link</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has sent spearphishing emails containing links to .hta files.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="FireEye APT33 Sept 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1053-005"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1053">T1053</a> </td> <td> <a href="/versions/v9/techniques/T1053/005">.005</a> </td> <td> <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has created a scheduled task to execute a .vbe file multiple times a day.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1552-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1552">T1552</a> </td> <td> <a href="/versions/v9/techniques/T1552/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/001">Credentials In Files</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used a variety of publicly available tools like <a href="/versions/v9/software/S0349">LaZagne</a> to gather credentials.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1552-006"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1552/006">.006</a> </td> <td> <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/006">Group Policy Preferences</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used a variety of publicly available tools like Gpppassword to gather credentials.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique noparent" id="uses-T1204-001"> <td> Enterprise </td> <td> <a href="/versions/v9/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v9/techniques/T1204/001">.001</a> </td> <td> <a href="/versions/v9/techniques/T1204">User Execution</a>: <a href="/versions/v9/techniques/T1204/001">Malicious Link</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has lured users to click links to malicious HTML applications delivered via spearphishing emails.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="FireEye APT33 Sept 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1204-002"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1204/002">.002</a> </td> <td> <a href="/versions/v9/techniques/T1204">User Execution</a>: <a href="/versions/v9/techniques/T1204/002">Malicious File</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used malicious e-mail attachments to lure victims into executing malware.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="technique" id="uses-T1078"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v9/techniques/T1078">T1078</a> </td> <td> <a href="/versions/v9/techniques/T1078">Valid Accounts</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used valid accounts for initial access and privilege escalation.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="FireEye APT33 Webinar Sept 2017">^{<a href="https://www.brighttalk.com/webcast/10703/275683" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="sub technique" id="uses-T1078-004"> <td></td> <td></td> <td> <a href="/versions/v9/techniques/T1078/004">.004</a> </td> <td> <a href="/versions/v9/techniques/T1078/004">Cloud Accounts</a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used compromised Office 365 accounts in tandem with <a href="/versions/v9/software/S0358">Ruler</a> in an attempt to gain control of endpoints.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="software">Software</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/software/S0129">S0129</a> </td> <td> <a href="/versions/v9/software/S0129">AutoIt backdoor</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v9/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1132">Data Encoding</a>: <a href="/versions/v9/techniques/T1132/001">Standard Encoding</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0363">S0363</a> </td> <td> <a href="/versions/v9/software/S0363">Empire</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v9/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/002">Create Process with Token</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/002">Domain Account</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/009">Shortcut Modification</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1217">Browser Bookmark Discovery</a>, <a href="/versions/v9/techniques/T1115">Clipboard Data</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1043">Commonly Used Port</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/001">Local Account</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/002">Domain Account</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/003">Windows Service</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1484">Domain Policy Modification</a>: <a href="/versions/v9/techniques/T1484/001">Group Policy Modification</a>, <a href="/versions/v9/techniques/T1482">Domain Trust Discovery</a>, <a href="/versions/v9/techniques/T1114">Email Collection</a>: <a href="/versions/v9/techniques/T1114/001">Local Email Collection</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/008">Accessibility Features</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/versions/v9/techniques/T1567/002">Exfiltration to Cloud Storage</a>, <a href="/versions/v9/techniques/T1567">Exfiltration Over Web Service</a>: <a href="/versions/v9/techniques/T1567/001">Exfiltration to Code Repository</a>, <a href="/versions/v9/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/versions/v9/techniques/T1210">Exploitation of Remote Services</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/001">DLL Search Order Hijacking</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/007">Path Interception by PATH Environment Variable</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/008">Path Interception by Search Order Hijacking</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/009">Path Interception by Unquoted Path</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/004">Dylib Hijacking</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/006">Timestomp</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/004">Credential API Hooking</a>, <a href="/versions/v9/techniques/T1557">Man-in-the-Middle</a>: <a href="/versions/v9/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1046">Network Service Scanning</a>, <a href="/versions/v9/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v9/techniques/T1040">Network Sniffing</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/003">Distributed Component Object Model</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/004">SSH</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1518">Software Discovery</a>: <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/003">Kerberoasting</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a>, <a href="/versions/v9/techniques/T1127">Trusted Developer Utilities Proxy Execution</a>: <a href="/versions/v9/techniques/T1127/001">MSBuild</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/004">Private Keys</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v9/techniques/T1125">Video Capture</a>, <a href="/versions/v9/techniques/T1102">Web Service</a>: <a href="/versions/v9/techniques/T1102/002">Bidirectional Communication</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0095">S0095</a> </td> <td> <a href="/versions/v9/software/S0095">FTP</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1043">Commonly Used Port</a>, <a href="/versions/v9/techniques/T1048">Exfiltration Over Alternative Protocol</a>: <a href="/versions/v9/techniques/T1048/003">Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0349">S0349</a> </td> <td> <a href="/versions/v9/software/S0349">LaZagne</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/001">Keychain</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/005">Cached Domain Credentials</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/007">Proc Filesystem</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/008">/etc/passwd and /etc/shadow</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/001">Credentials In Files</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0002">S0002</a> </td> <td> <a href="/versions/v9/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v9/techniques/T1098">Account Manipulation</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/006">DCSync</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v9/techniques/T1207">Rogue Domain Controller</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/004">Private Keys</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/003">Pass the Ticket</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0336">S0336</a> </td> <td> <a href="/versions/v9/software/S0336">NanoCore</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="FireEye APT33 Webinar Sept 2017">^{<a href="https://www.brighttalk.com/webcast/10703/275683" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1123">Audio Capture</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1562">Impair Defenses</a>: <a href="/versions/v9/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/versions/v9/techniques/T1562">Impair Defenses</a>: <a href="/versions/v9/techniques/T1562/004">Disable or Modify System Firewall</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1125">Video Capture</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0039">S0039</a> </td> <td> <a href="/versions/v9/software/S0039">Net</a> </td> <td> <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/002">Domain Account</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/001">Local Account</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/002">Domain Account</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/005">Network Share Connection Removal</a>, <a href="/versions/v9/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v9/techniques/T1201">Password Policy Discovery</a>, <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/001">Local Groups</a>, <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/002">Domain Groups</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/002">SMB/Windows Admin Shares</a>, <a href="/versions/v9/techniques/T1018">Remote System Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1007">System Service Discovery</a>, <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a>, <a href="/versions/v9/techniques/T1124">System Time Discovery</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0198">S0198</a> </td> <td> <a href="/versions/v9/software/S0198">NETWIRE</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="FireEye APT33 Sept 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="FireEye APT33 Webinar Sept 2017">^{<a href="https://www.brighttalk.com/webcast/10703/275683" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1010">Application Window Discovery</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v9/techniques/T1560/003">Archive via Custom Method</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>, <a href="/versions/v9/techniques/T1119">Automated Collection</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/013">XDG Autostart Entries</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/011">Plist Modification</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/004">Unix Shell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/001">Launch Agent</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v9/techniques/T1074">Data Staged</a>: <a href="/versions/v9/techniques/T1074/001">Local Data Staging</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1564">Hide Artifacts</a>: <a href="/versions/v9/techniques/T1564/001">Hidden Files and Directories</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/001">Invalid Code Signature</a>, <a href="/versions/v9/techniques/T1036">Masquerading</a>: <a href="/versions/v9/techniques/T1036/005">Match Legitimate Name or Location</a>, <a href="/versions/v9/techniques/T1112">Modify Registry</a>, <a href="/versions/v9/techniques/T1106">Native API</a>, <a href="/versions/v9/techniques/T1095">Non-Application Layer Protocol</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v9/techniques/T1027/002">Software Packing</a>, <a href="/versions/v9/techniques/T1566">Phishing</a>: <a href="/versions/v9/techniques/T1566/002">Spearphishing Link</a>, <a href="/versions/v9/techniques/T1566">Phishing</a>: <a href="/versions/v9/techniques/T1566/001">Spearphishing Attachment</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/012">Process Hollowing</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>, <a href="/versions/v9/techniques/T1090">Proxy</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/003">Cron</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1204">User Execution</a>: <a href="/versions/v9/techniques/T1204/002">Malicious File</a>, <a href="/versions/v9/techniques/T1204">User Execution</a>: <a href="/versions/v9/techniques/T1204/001">Malicious Link</a>, <a href="/versions/v9/techniques/T1102">Web Service</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0378">S0378</a> </td> <td> <a href="/versions/v9/software/S0378">PoshC2</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v9/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/002">Create Process with Token</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/002">Domain Account</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v9/techniques/T1560/001">Archive via Utility</a>, <a href="/versions/v9/techniques/T1119">Automated Collection</a>, <a href="/versions/v9/techniques/T1110">Brute Force</a>, <a href="/versions/v9/techniques/T1482">Domain Trust Discovery</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/versions/v9/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/versions/v9/techniques/T1210">Exploitation of Remote Services</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1557">Man-in-the-Middle</a>: <a href="/versions/v9/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v9/techniques/T1046">Network Service Scanning</a>, <a href="/versions/v9/techniques/T1040">Network Sniffing</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1201">Password Policy Discovery</a>, <a href="/versions/v9/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v9/techniques/T1069/001">Local Groups</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>, <a href="/versions/v9/techniques/T1090">Proxy</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1007">System Service Discovery</a>, <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0194">S0194</a> </td> <td> <a href="/versions/v9/software/S0194">PowerSploit</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1123">Audio Capture</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/003">Windows Service</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v9/techniques/T1005">Data from Local System</a>, <a href="/versions/v9/techniques/T1482">Domain Trust Discovery</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/001">DLL Search Order Hijacking</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/007">Path Interception by PATH Environment Variable</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/008">Path Interception by Search Order Hijacking</a>, <a href="/versions/v9/techniques/T1574">Hijack Execution Flow</a>: <a href="/versions/v9/techniques/T1574/009">Path Interception by Unquoted Path</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>: <a href="/versions/v9/techniques/T1027/005">Indicator Removal from Tools</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1034">Path Interception</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/002">Portable Executable Injection</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1053">Scheduled Task/Job</a>: <a href="/versions/v9/techniques/T1053/005">Scheduled Task</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v9/techniques/T1558/003">Kerberoasting</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/002">Credentials in Registry</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/006">Group Policy Preferences</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0371">S0371</a> </td> <td> <a href="/versions/v9/software/S0371">POWERTON</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1043">Commonly Used Port</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/001">Symmetric Cryptography</a>, <a href="/versions/v9/techniques/T1546">Event Triggered Execution</a>: <a href="/versions/v9/techniques/T1546/003">Windows Management Instrumentation Event Subscription</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/002">Security Account Manager</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0192">S0192</a> </td> <td> <a href="/versions/v9/software/S0192">Pupy</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1548">Abuse Elevation Control Mechanism</a>: <a href="/versions/v9/techniques/T1548/002">Bypass User Account Control</a>, <a href="/versions/v9/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v9/techniques/T1134/001">Token Impersonation/Theft</a>, <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/001">Local Account</a>, <a href="/versions/v9/techniques/T1071">Application Layer Protocol</a>: <a href="/versions/v9/techniques/T1071/001">Web Protocols</a>, <a href="/versions/v9/techniques/T1560">Archive Collected Data</a>: <a href="/versions/v9/techniques/T1560/001">Archive via Utility</a>, <a href="/versions/v9/techniques/T1123">Audio Capture</a>, <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/001">PowerShell</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/006">Python</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/001">Local Account</a>, <a href="/versions/v9/techniques/T1136">Create Account</a>: <a href="/versions/v9/techniques/T1136/002">Domain Account</a>, <a href="/versions/v9/techniques/T1543">Create or Modify System Process</a>: <a href="/versions/v9/techniques/T1543/002">Systemd Service</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v9/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v9/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v9/techniques/T1114">Email Collection</a>: <a href="/versions/v9/techniques/T1114/001">Local Email Collection</a>, <a href="/versions/v9/techniques/T1573">Encrypted Channel</a>: <a href="/versions/v9/techniques/T1573/002">Asymmetric Cryptography</a>, <a href="/versions/v9/techniques/T1041">Exfiltration Over C2 Channel</a>, <a href="/versions/v9/techniques/T1083">File and Directory Discovery</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/001">Clear Windows Event Logs</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1056">Input Capture</a>: <a href="/versions/v9/techniques/T1056/001">Keylogging</a>, <a href="/versions/v9/techniques/T1557">Man-in-the-Middle</a>: <a href="/versions/v9/techniques/T1557/001">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="/versions/v9/techniques/T1046">Network Service Scanning</a>, <a href="/versions/v9/techniques/T1135">Network Share Discovery</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v9/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v9/techniques/T1003/005">Cached Domain Credentials</a>, <a href="/versions/v9/techniques/T1057">Process Discovery</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/001">Dynamic-link Library Injection</a>, <a href="/versions/v9/techniques/T1021">Remote Services</a>: <a href="/versions/v9/techniques/T1021/001">Remote Desktop Protocol</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1016">System Network Configuration Discovery</a>, <a href="/versions/v9/techniques/T1049">System Network Connections Discovery</a>, <a href="/versions/v9/techniques/T1033">System Owner/User Discovery</a>, <a href="/versions/v9/techniques/T1569">System Services</a>: <a href="/versions/v9/techniques/T1569/002">Service Execution</a>, <a href="/versions/v9/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v9/techniques/T1552/001">Credentials In Files</a>, <a href="/versions/v9/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v9/techniques/T1550/003">Pass the Ticket</a>, <a href="/versions/v9/techniques/T1125">Video Capture</a>, <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a>: <a href="/versions/v9/techniques/T1497/001">System Checks</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0358">S0358</a> </td> <td> <a href="/versions/v9/software/S0358">Ruler</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail">^{<a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft Holmium June 2020">^{<a href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1087">Account Discovery</a>: <a href="/versions/v9/techniques/T1087/003">Email Account</a>, <a href="/versions/v9/techniques/T1137">Office Application Startup</a>: <a href="/versions/v9/techniques/T1137/004">Outlook Home Page</a>, <a href="/versions/v9/techniques/T1137">Office Application Startup</a>: <a href="/versions/v9/techniques/T1137/005">Outlook Rules</a>, <a href="/versions/v9/techniques/T1137">Office Application Startup</a>: <a href="/versions/v9/techniques/T1137/003">Outlook Forms</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0380">S0380</a> </td> <td> <a href="/versions/v9/software/S0380">StoneDrill</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="FireEye APT33 Sept 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/005">Visual Basic</a>, <a href="/versions/v9/techniques/T1485">Data Destruction</a>, <a href="/versions/v9/techniques/T1561">Disk Wipe</a>: <a href="/versions/v9/techniques/T1561/001">Disk Content Wipe</a>, <a href="/versions/v9/techniques/T1561">Disk Wipe</a>: <a href="/versions/v9/techniques/T1561/002">Disk Structure Wipe</a>, <a href="/versions/v9/techniques/T1070">Indicator Removal on Host</a>: <a href="/versions/v9/techniques/T1070/004">File Deletion</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>, <a href="/versions/v9/techniques/T1012">Query Registry</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1518">Software Discovery</a>: <a href="/versions/v9/techniques/T1518/001">Security Software Discovery</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a>, <a href="/versions/v9/techniques/T1124">System Time Discovery</a>, <a href="/versions/v9/techniques/T1497">Virtualization/Sandbox Evasion</a>, <a href="/versions/v9/techniques/T1047">Windows Management Instrumentation</a> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0199">S0199</a> </td> <td> <a href="/versions/v9/software/S0199">TURNEDUP</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="FireEye APT33 Sept 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="FireEye APT33 Webinar Sept 2017">^{<a href="https://www.brighttalk.com/webcast/10703/275683" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </td> <td> <a href="/versions/v9/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v9/techniques/T1547/001">Registry Run Keys / Startup Folder</a>, <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/versions/v9/techniques/T1059/003">Windows Command Shell</a>, <a href="/versions/v9/techniques/T1105">Ingress Tool Transfer</a>, <a href="/versions/v9/techniques/T1055">Process Injection</a>: <a href="/versions/v9/techniques/T1055/004">Asynchronous Procedure Call</a>, <a href="/versions/v9/techniques/T1113">Screen Capture</a>, <a href="/versions/v9/techniques/T1082">System Information Discovery</a> </td> </tr> </tbody> </table> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank"> O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.brighttalk.com/webcast/10703/275683" target="_blank"> Davis, S. and Carr, N. (2017, September 21). APT33: New Insights into Iranian Cyber Espionage Group. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.microsoft.com/security/blog/2020/06/18/inside-microsoft-threat-protection-mapping-attack-chains-from-cloud-to-endpoint/" target="_blank"> Microsoft Threat Protection Intelligence Team. (2020, June 18). Inside Microsoft Threat Protection: Mapping attack chains from cloud to endpoint. Retrieved June 22, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank"> Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> 漏 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?2451"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> <script src="/versions/v9/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v9/theme/scripts/settings.js"></script> <script src="/versions/v9/theme/scripts/tour/tour-relationships.js"></script> </body> </html>