Magic Hound

Magic HoundTA453COBALT ILLUSIONCharming KittenITG18PhosphorusNewscasterAPT35Mint Sandstorm

[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Securew...

Techniques

Covered

Gaps

91%

Coverage

Coverage75/82

GAPS (7)

T1016.002Wi-Fi Discovery T1036.010Masquerade Account Name T1087.003Email Account T1585.001Social Media Accounts T1585.002Email Accounts T1586.002Email Accounts T1591.001Determine Physical Locations

COVERED (75)

T1003.001LSASS Memory111 det.T1005Data from Local System47 det.T1016System Network Configuration Discovery39 det.T1016.001Internet Connection Discovery6 det.T1018Remote System Discovery50 det.T1021.001Remote Desktop Protocol53 det.T1027.010Command Obfuscation38 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task99 det.T1056.001Keylogging4 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1070.003Clear Command History15 det.T1070.004File Deletion42 det.T1071Application Layer Protocol104 det.T1071.001Web Protocols80 det.T1078.001Default Accounts9 det.T1078.002Domain Accounts28 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1090Proxy46 det.T1098.002Additional Email Delegate Permissions9 det.T1098.007Additional Local or Domain Groups10 det.T1102.002Bidirectional Communication15 det.T1105Ingress Tool Transfer183 det.T1112Modify Registry203 det.T1113Screen Capture18 det.T1114Email Collection18 det.T1114.001Local Email Collection11 det.T1114.002Remote Email Collection18 det.T1136.001Local Account43 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application216 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1218.011Rundll3275 det.T1482Domain Trust Discovery41 det.T1486Data Encrypted for Impact360 det.T1505.003Web Shell63 det.T1547.001Registry Run Keys / Startup Folder53 det.T1560.001Archive via Utility26 det.T1562Impair Defenses194 det.T1562.001Disable or Modify Tools311 det.T1562.002Disable Windows Event Logging44 det.T1562.004Disable or Modify System Firewall48 det.T1564.003Hidden Window11 det.T1566.002Spearphishing Link904 det.T1566.003Spearphishing via Service88 det.T1567Exfiltration Over Web Service45 det.T1570Lateral Tool Transfer22 det.T1571Non-Standard Port16 det.T1572Protocol Tunneling56 det.T1573Encrypted Channel32 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1584.001Domains3 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.001Credentials2 det.T1589.002Email Addresses2 det.T1590.005IP Addresses4 det.T1592.002Software1 det.T1595.002Vulnerability Scanning12 det.T1598.003Spearphishing Link285 det.T1685Disable or Modify Tools278 det.T1685.001Disable or Modify Windows Event Log39 det.T1686.003Windows Host Firewall20 det.