EXPLORE
← Back to Actors

MuddyWater

MuddyWaterEarth VetalaMERCURYStatic KittenSeedwormTEMP.ZagrosMango SandstormTA450MuddyKrill

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. [MuddyWater](ht...

70
Techniques
66
Covered
4
Gaps
94%
Coverage
Coverage66/70

COVERED (66)

T1003.001LSASS Memory111 det.T1003.004LSA Secrets18 det.T1003.005Cached Domain Credentials12 det.T1016System Network Configuration Discovery40 det.T1027.003Steganography5 det.T1027.004Compile After Delivery10 det.T1027.010Command Obfuscation38 det.T1033System Owner/User Discovery61 det.T1036.005Match Legitimate Resource Name or Location45 det.T1041Exfiltration Over C2 Channel32 det.T1047Windows Management Instrumentation88 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task100 det.T1057Process Discovery21 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1059.005Visual Basic69 det.T1059.006Python51 det.T1059.007JavaScript63 det.T1071.001Web Protocols81 det.T1074.001Local Data Staging10 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.002Domain Account57 det.T1090Proxy48 det.T1090.002External Proxy8 det.T1102.002Bidirectional Communication16 det.T1105Ingress Tool Transfer184 det.T1113Screen Capture18 det.T1132.001Standard Encoding5 det.T1137.001Office Template Macros1 det.T1140Deobfuscate/Decode Files or Information58 det.T1190Exploit Public-Facing Application227 det.T1203Exploitation for Client Execution79 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1204.004Malicious Copy and Paste9 det.T1210Exploitation of Remote Services35 det.T1218.003CMSTP21 det.T1218.005Mshta49 det.T1218.011Rundll3275 det.T1219Remote Access Tools42 det.T1219.002Remote Desktop Software52 det.T1518Software Discovery17 det.T1518.001Security Software Discovery10 det.T1534Internal Spearphishing234 det.T1547.001Registry Run Keys / Startup Folder53 det.T1548.002Bypass User Account Control84 det.T1552.001Credentials In Files61 det.T1555Credentials from Password Stores41 det.T1555.003Credentials from Web Browsers16 det.T1559.001Component Object Model17 det.T1559.002Dynamic Data Exchange1 det.T1560.001Archive via Utility26 det.T1562.001Disable or Modify Tools316 det.T1566Phishing1100 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1567.002Exfiltration to Cloud Storage31 det.T1571Non-Standard Port17 det.T1574.001DLL111 det.T1583.001Domains62 det.T1583.006Web Services1 det.T1588.001Malware2 det.T1588.002Tool13 det.T1685Disable or Modify Tools279 det.