← Back to Actors
Magic Hound
Magic HoundTA453COBALT ILLUSIONCharming KittenITG18PhosphorusNewscasterAPT35Mint Sandstorm
[Magic Hound](https://attack.mitre.org/groups/G0059) is an Iranian-sponsored threat group that conducts long term, resource-intensive cyber espionage operations, likely on behalf of the Islamic Revolutionary Guard Corps. They have targeted European, U.S., and Middle Eastern government and military personnel, academics, journalists, and organizations such as the World Health Organization (WHO), via complex social engineering campaigns since at least 2014.(Citation: FireEye APT35 2018)(Citation: ClearSky Kittens Back 3 August 2020)(Citation: Certfa Charming Kitten January 2021)(Citation: Securew...
82
Techniques
75
Covered
7
Gaps
91%
Coverage
Coverage75/82
GAPS (7)
COVERED (75)
T1003.001LSASS Memory111 det.T1005Data from Local System47 det.T1016System Network Configuration Discovery40 det.T1016.001Internet Connection Discovery6 det.T1018Remote System Discovery51 det.T1021.001Remote Desktop Protocol53 det.T1027.010Command Obfuscation38 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location45 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation88 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task100 det.T1056.001Keylogging4 det.T1057Process Discovery21 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1059.005Visual Basic69 det.T1070.003Clear Command History15 det.T1070.004File Deletion43 det.T1071Application Layer Protocol112 det.T1071.001Web Protocols81 det.T1078.001Default Accounts9 det.T1078.002Domain Accounts28 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1090Proxy48 det.T1098.002Additional Email Delegate Permissions9 det.T1098.007Additional Local or Domain Groups10 det.T1102.002Bidirectional Communication16 det.T1105Ingress Tool Transfer184 det.T1112Modify Registry203 det.T1113Screen Capture18 det.T1114Email Collection18 det.T1114.001Local Email Collection11 det.T1114.002Remote Email Collection18 det.T1136.001Local Account43 det.T1189Drive-by Compromise10 det.T1190Exploit Public-Facing Application227 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1218.011Rundll3275 det.T1482Domain Trust Discovery41 det.T1486Data Encrypted for Impact374 det.T1505.003Web Shell65 det.T1547.001Registry Run Keys / Startup Folder53 det.T1560.001Archive via Utility26 det.T1562Impair Defenses202 det.T1562.001Disable or Modify Tools316 det.T1562.002Disable Windows Event Logging44 det.T1562.004Disable or Modify System Firewall48 det.T1564.003Hidden Window11 det.T1566.002Spearphishing Link1005 det.T1566.003Spearphishing via Service96 det.T1567Exfiltration Over Web Service46 det.T1570Lateral Tool Transfer23 det.T1571Non-Standard Port17 det.T1572Protocol Tunneling59 det.T1573Encrypted Channel35 det.T1583.001Domains62 det.T1583.006Web Services1 det.T1584.001Domains3 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.001Credentials2 det.T1589.002Email Addresses2 det.T1590.005IP Addresses4 det.T1592.002Software1 det.T1595.002Vulnerability Scanning13 det.T1598.003Spearphishing Link312 det.T1685Disable or Modify Tools279 det.T1685.001Disable or Modify Windows Event Log39 det.T1686.003Windows Host Firewall20 det.