APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors. (Citation: FireEye APT33 Sept 2017) (Citation: FireEye APT33 Webinar Sept 2017)
| Platform | Tactic | Technique | Description | Data Sources |
|---|---|---|---|---|
| Linux, macOS, Windows | defense-evasion | Execution Guardrails | APT33 has used kill dates in their malware to guardrail execution. | Process monitoring |
| Linux, macOS, Windows, Office 365, Azure AD, SaaS | credential-access | Brute Force | APT33 has used password spraying to gain access to target systems. | Office 365 account logs, Authentication logs |
| Linux, macOS, Windows | command-and-control | Commonly Used Port | APT33 has used port 443 for command and control. | Packet capture, Netflow/Enclave netflow, Process use of network, Process monitoring |
| Linux, macOS, Windows | privilege-escalation | Exploitation for Privilege Escalation | APT33 has used a publicly available exploit for CVE-2017-0213 to escalate privileges on a local system. | Windows Error Reporting, Process monitoring, Application logs |
| Linux, macOS, Windows | command-and-control | Standard Cryptographic Protocol | APT33 has used AES for encryption of command and control traffic. | Packet capture, Netflow/Enclave netflow, Malware reverse engineering, Process use of network, Process monitoring, SSL/TLS inspection |
| Linux, macOS, Windows | defense-evasion | Obfuscated Files or Information | APT33 has used base64 to encode payloads. | Network protocol analysis, Process use of network, File monitoring, Malware reverse engineering, Binary file metadata, Process command-line parameters, Environment variable, Process monitoring, Windows event logs, Network intrusion detection system, Email gateway, SSL/TLS inspection |
| Linux, macOS, Windows | command-and-control | Data Encoding | APT33 has used base64 to encode command and control traffic. | Packet capture, Process use of network, Process monitoring, Network protocol analysis |
| Windows | execution, persistence, privilege-escalation | Scheduled Task | APT33 has created a scheduled task to execute a .vbe file multiple times a day. | File monitoring, Process monitoring, Process command-line parameters, Windows event logs |
| Linux, macOS, Windows | command-and-control | Uncommonly Used Port | APT33 has used ports 808 and 880 for command and control. | Netflow/Enclave netflow, Process use of network, Process monitoring |
| Linux, macOS, Windows | exfiltration | Exfiltration Over Alternative Protocol | APT33 has used FTP to exfiltrate files (separately from the C2 channel). | User interface, Process monitoring, Process use of network, Packet capture, Netflow/Enclave netflow, Network protocol analysis |
| Linux, macOS, Windows | command-and-control | Standard Application Layer Protocol | APT33 has used HTTP for command and control. | Packet capture, Netflow/Enclave netflow, Process use of network, Malware reverse engineering, Process monitoring |
| Windows | persistence | Registry Run Keys / Startup Folder | APT33 has deployed a tool known as DarkComet to the Startup folder of a victim. | Windows Registry, File monitoring |
| Windows | execution | PowerShell | APT33 has utilized PowerShell to download files from the C2 server and run various scripts. | PowerShell logs, Loaded DLLs, DLL monitoring, Windows Registry, File monitoring, Process monitoring, Process command-line parameters |
| Linux, macOS, Windows | command-and-control, lateral-movement | Remote File Copy | APT33 has downloaded additional files and programs from its C2 server. | |
| File monitoring, Packet capture, Process use of network, Netflow/Enclave netflow, Network protocol analysis, Process monitoring | ||||
| Linux, Windows, macOS | exfiltration | Data Compressed | APT33 has used WinRAR to compress data prior to exfil. | |
| Binary file metadata, File monitoring, Process command-line parameters, Process monitoring | ||||
| Windows, Linux, macOS | credential-access | Credential Dumping | APT33 has used a variety of publicly available tools like LaZagne, Mimikatz, Gpppassword, SniffPass, and ProcDump to dump credentials. | API monitoring, Process monitoring, PowerShell logs, Process command-line parameters |
| Linux, macOS, Windows | credential-access, discovery | Network Sniffing | APT33 has used SniffPass to collect credentials by sniffing network traffic. | Network device logs, Host network interface, Netflow/Enclave netflow, Process monitoring |
| Linux, Windows, macOS | execution | Exploitation for Client Execution | APT33 has attempted to exploit a known vulnerability in WinRAR (CVE-2018-20250). | Anti-virus, System calls, Process monitoring |
| Linux, Windows, macOS | execution | User Execution | APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails. | Anti-virus, Process command-line parameters, Process monitoring |
| Windows, macOS, Linux, Office 365, SaaS | initial-access | Spearphishing Link | APT33 has sent spearphishing emails containing links to .hta files. | Packet capture, Web proxy, Email gateway, Detonation chamber, SSL/TLS inspection, DNS records, Mail server |
| Linux, macOS, Windows, AWS, GCP, Azure, SaaS, Office 365 | defense-evasion, persistence, privilege-escalation, initial-access | Valid Accounts | APT33 has used valid accounts for initial access and privilege escalation. | AWS CloudTrail logs, Stackdriver logs, Authentication logs, Process monitoring |