Magic Hound

Magic HoundTA453COBALT ILLUSIONCharming KittenITG18PhosphorusNewscasterAPT35Mint Sandstorm

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Securew...

Techniques

Covered

Gaps

90%

Coverage

Coverage71/79

GAPS (8)

T1016.002Wi-Fi Discovery T1036.010Masquerade Account Name T1087.003Email Account T1585.001Social Media Accounts T1585.002Email Accounts T1586.002Email Accounts T1591.001Determine Physical Locations T1592.002Software

COVERED (71)

T1003.001LSASS Memory105 det.T1005Data from Local System46 det.T1016System Network Configuration Discovery35 det.T1016.001Internet Connection Discovery6 det.T1018Remote System Discovery46 det.T1021.001Remote Desktop Protocol51 det.T1027.010Command Obfuscation31 det.T1027.013Encrypted/Encoded File7 det.T1033System Owner/User Discovery59 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1049System Network Connections Discovery21 det.T1053.005Scheduled Task82 det.T1056.001Keylogging4 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1070.003Clear Command History14 det.T1070.004File Deletion40 det.T1071Application Layer Protocol100 det.T1071.001Web Protocols74 det.T1078.001Default Accounts8 det.T1078.002Domain Accounts26 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1090Proxy44 det.T1098.002Additional Email Delegate Permissions8 det.T1098.007Additional Local or Domain Groups9 det.T1102.002Bidirectional Communication14 det.T1105Ingress Tool Transfer170 det.T1112Modify Registry197 det.T1113Screen Capture17 det.T1114Email Collection17 det.T1114.001Local Email Collection11 det.T1114.002Remote Email Collection18 det.T1136.001Local Account42 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application208 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1218.011Rundll3273 det.T1482Domain Trust Discovery38 det.T1486Data Encrypted for Impact339 det.T1505.003Web Shell57 det.T1547.001Registry Run Keys / Startup Folder50 det.T1560.001Archive via Utility24 det.T1562Impair Defenses180 det.T1562.001Disable or Modify Tools300 det.T1562.002Disable Windows Event Logging42 det.T1562.004Disable or Modify System Firewall45 det.T1564.003Hidden Window11 det.T1566.002Spearphishing Link837 det.T1566.003Spearphishing via Service85 det.T1567Exfiltration Over Web Service44 det.T1570Lateral Tool Transfer20 det.T1571Non-Standard Port16 det.T1572Protocol Tunneling51 det.T1573Encrypted Channel31 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1584.001Domains3 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.001Credentials2 det.T1589.002Email Addresses2 det.T1590.005IP Addresses4 det.T1595.002Vulnerability Scanning12 det.T1598.003Spearphishing Link271 det.