Skip to content

G0064 APT33

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. 1 2

Item Value
ID G0064
Associated Names HOLMIUM, Elfin
Version 1.4
Created 18 April 2018
Last Modified 26 May 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
HOLMIUM 3
Elfin 4

Techniques Used

Domain ID Name Use
enterprise T1071 Application Layer Protocol -
enterprise T1071.001 Web Protocols APT33 has used HTTP for command and control.4
enterprise T1560 Archive Collected Data -
enterprise T1560.001 Archive via Utility APT33 has used WinRAR to compress data prior to exfil.4
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder APT33 has deployed a tool known as DarkComet to the Startup folder of a victim, and used Registry run keys to gain persistence.43
enterprise T1110 Brute Force -
enterprise T1110.003 Password Spraying APT33 has used password spraying to gain access to target systems.53
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell APT33 has utilized PowerShell to download files from the C2 server and run various scripts. 43
enterprise T1059.005 Visual Basic APT33 has used VBScript to initiate the delivery of payloads.3
enterprise T1555 Credentials from Password Stores APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1555.003 Credentials from Web Browsers APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1132 Data Encoding -
enterprise T1132.001 Standard Encoding APT33 has used base64 to encode command and control traffic.5
enterprise T1573 Encrypted Channel -
enterprise T1573.001 Symmetric Cryptography APT33 has used AES for encryption of command and control traffic.5
enterprise T1546 Event Triggered Execution -
enterprise T1546.003 Windows Management Instrumentation Event Subscription APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.3
enterprise T1048 Exfiltration Over Alternative Protocol -
enterprise T1048.003 Exfiltration Over Unencrypted Non-C2 Protocol APT33 has used FTP to exfiltrate files (separately from the C2 channel).4
enterprise T1203 Exploitation for Client Execution APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250), and attempted to gain remote code execution via a security bypass vulnerability (CVE-2017-11774).43
enterprise T1068 Exploitation for Privilege Escalation APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system.5
enterprise T1105 Ingress Tool Transfer APT33 has downloaded additional files and programs from its C2 server.43
enterprise T1040 Network Sniffing APT33 has used SniffPass to collect credentials by sniffing network traffic.4
enterprise T1571 Non-Standard Port APT33 has used HTTP over TCP ports 808 and 880 for command and control.4
enterprise T1027 Obfuscated Files or Information APT33 has used base64 to encode payloads.5
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool APT33 has obtained and leveraged publicly-available tools for early intrusion activities.54
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, and ProcDump to dump credentials.45
enterprise T1003.004 LSA Secrets APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1003.005 Cached Domain Credentials APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1566 Phishing -
enterprise T1566.001 Spearphishing Attachment APT33 has sent spearphishing e-mails with archive attachments.3
enterprise T1566.002 Spearphishing Link APT33 has sent spearphishing emails containing links to .hta files.14
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task APT33 has created a scheduled task to execute a .vbe file multiple times a day.4
enterprise T1552 Unsecured Credentials -
enterprise T1552.001 Credentials In Files APT33 has used a variety of publicly available tools like LaZagne to gather credentials.45
enterprise T1552.006 Group Policy Preferences APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.45
enterprise T1204 User Execution -
enterprise T1204.001 Malicious Link APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.14
enterprise T1204.002 Malicious File APT33 has used malicious e-mail attachments to lure victims into executing malware.3
enterprise T1078 Valid Accounts APT33 has used valid accounts for initial access and privilege escalation.25
enterprise T1078.004 Cloud Accounts APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.3

Software

ID Name References Techniques
S0129 AutoIt backdoor 4 Bypass User Account Control:Abuse Elevation Control Mechanism PowerShell:Command and Scripting Interpreter Standard Encoding:Data Encoding File and Directory Discovery
S0363 Empire - Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Bookmark Discovery Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Exfiltration to Code Repository:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Timestomp:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Golden Ticket:Steal or Forge Kerberos Tickets Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation
S0095 ftp - Commonly Used Port Exfiltration Over Unencrypted Non-C2 Protocol:Exfiltration Over Alternative Protocol Ingress Tool Transfer Lateral Tool Transfer
S0349 LaZagne - Keychain:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Password Stores Cached Domain Credentials:OS Credential Dumping LSASS Memory:OS Credential Dumping Proc Filesystem:OS Credential Dumping LSA Secrets:OS Credential Dumping /etc/passwd and /etc/shadow:OS Credential Dumping Credentials In Files:Unsecured Credentials
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0336 NanoCore - Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Visual Basic:Command and Scripting Interpreter Symmetric Cryptography:Encrypted Channel Disable or Modify Tools:Impair Defenses Disable or Modify System Firewall:Impair Defenses Ingress Tool Transfer Keylogging:Input Capture Modify Registry Obfuscated Files or Information System Network Configuration Discovery Video Capture
S0039 Net - Domain Account:Account Discovery Local Account:Account Discovery Domain Account:Create Account Local Account:Create Account Network Share Connection Removal:Indicator Removal on Host Network Share Discovery Password Policy Discovery Domain Groups:Permission Groups Discovery Local Groups:Permission Groups Discovery SMB/Windows Admin Shares:Remote Services Remote System Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services System Time Discovery
S0198 NETWIRE - Web Protocols:Application Layer Protocol Application Window Discovery Archive via Custom Method:Archive Collected Data Archive Collected Data Automated Collection XDG Autostart Entries:Boot or Logon Autostart Execution Login Items:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Visual Basic:Command and Scripting Interpreter Unix Shell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Launch Agent:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Local Data Staging:Data Staged Encrypted Channel Symmetric Cryptography:Encrypted Channel File and Directory Discovery Hidden Files and Directories:Hide Artifacts Ingress Tool Transfer Keylogging:Input Capture Invalid Code Signature:Masquerading Match Legitimate Name or Location:Masquerading Modify Registry Native API Non-Application Layer Protocol Obfuscated Files or Information Software Packing:Obfuscated Files or Information Spearphishing Attachment:Phishing Spearphishing Link:Phishing Process Discovery Process Injection Process Hollowing:Process Injection Proxy Cron:Scheduled Task/Job Scheduled Task:Scheduled Task/Job Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery Malicious Link:User Execution Malicious File:User Execution Web Service
S0378 PoshC2 - Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Automated Collection Brute Force Domain Trust Discovery Windows Management Instrumentation Event Subscription:Event Triggered Execution Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Keylogging:Input Capture Network Service Discovery Network Sniffing LSASS Memory:OS Credential Dumping Password Policy Discovery Local Groups:Permission Groups Discovery Process Injection Proxy System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Service Discovery Service Execution:System Services Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Windows Management Instrumentation
S0194 PowerSploit - Access Token Manipulation Local Account:Account Discovery Audio Capture Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Windows Credential Manager:Credentials from Password Stores Data from Local System Domain Trust Discovery DLL Search Order Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Search Order Hijacking:Hijack Execution Flow Keylogging:Input Capture Obfuscated Files or Information Indicator Removal from Tools:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Path Interception Process Discovery Dynamic-link Library Injection:Process Injection Query Registry Reflective Code Loading Scheduled Task:Scheduled Task/Job Screen Capture Kerberoasting:Steal or Forge Kerberos Tickets Credentials in Registry:Unsecured Credentials Group Policy Preferences:Unsecured Credentials Windows Management Instrumentation
S0371 POWERTON - Web Protocols:Application Layer Protocol Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution PowerShell:Command and Scripting Interpreter Commonly Used Port Symmetric Cryptography:Encrypted Channel Windows Management Instrumentation Event Subscription:Event Triggered Execution Security Account Manager:OS Credential Dumping
S0192 Pupy - Bypass User Account Control:Abuse Elevation Control Mechanism Token Impersonation/Theft:Access Token Manipulation Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive via Utility:Archive Collected Data Audio Capture Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Python:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Local Account:Create Account Domain Account:Create Account Systemd Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Credentials from Password Stores Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Exfiltration Over C2 Channel File and Directory Discovery Clear Windows Event Logs:Indicator Removal on Host Ingress Tool Transfer Keylogging:Input Capture Network Service Discovery Network Share Discovery Cached Domain Credentials:OS Credential Dumping LSA Secrets:OS Credential Dumping LSASS Memory:OS Credential Dumping Process Discovery Dynamic-link Library Injection:Process Injection Remote Desktop Protocol:Remote Services Screen Capture System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services Credentials In Files:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Video Capture System Checks:Virtualization/Sandbox Evasion
S0358 Ruler - Email Account:Account Discovery Outlook Forms:Office Application Startup Outlook Home Page:Office Application Startup Outlook Rules:Office Application Startup
S0380 StoneDrill - Visual Basic:Command and Scripting Interpreter Data Destruction Disk Structure Wipe:Disk Wipe Disk Content Wipe:Disk Wipe File Deletion:Indicator Removal on Host Ingress Tool Transfer Obfuscated Files or Information Process Injection Query Registry Screen Capture Security Software Discovery:Software Discovery System Information Discovery System Time Discovery Virtualization/Sandbox Evasion Windows Management Instrumentation
S0199 TURNEDUP - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Windows Command Shell:Command and Scripting Interpreter Ingress Tool Transfer Asynchronous Procedure Call:Process Injection Screen Capture System Information Discovery

References

Back to top