EXPLORE
Sign In
← Back to Actors

MuddyWater

MuddyWaterEarth VetalaMERCURYStatic KittenSeedwormTEMP.ZagrosMango SandstormTA450MuddyKrill

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. [MuddyWater](ht...

70
Techniques
66
Covered
4
Gaps
94%
Coverage
Coverage66/70

GAPS (4)

T1104Multi-Stage ChannelsT1573.001Symmetric CryptographyT1590.004Network TopologyT1684.001Impersonation

COVERED (66)

T1003.001LSASS Memory111 det.T1003.004LSA Secrets18 det.T1003.005Cached Domain Credentials12 det.T1016System Network Configuration Discovery39 det.T1027.003Steganography5 det.T1027.004Compile After Delivery10 det.T1027.010Command Obfuscation38 det.T1033System Owner/User Discovery61 det.T1036.005Match Legitimate Resource Name or Location44 det.T1041Exfiltration Over C2 Channel31 det.T1047Windows Management Instrumentation87 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task99 det.T1057Process Discovery20 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1059.006Python49 det.T1059.007JavaScript61 det.T1071.001Web Protocols80 det.T1074.001Local Data Staging10 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087.002Domain Account57 det.T1090Proxy46 det.T1090.002External Proxy6 det.T1102.002Bidirectional Communication15 det.T1105Ingress Tool Transfer183 det.T1113Screen Capture18 det.T1132.001Standard Encoding5 det.T1137.001Office Template Macros1 det.T1140Deobfuscate/Decode Files or Information58 det.T1190Exploit Public-Facing Application216 det.T1203Exploitation for Client Execution75 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1204.004Malicious Copy and Paste8 det.T1210Exploitation of Remote Services35 det.T1218.003CMSTP21 det.T1218.005Mshta49 det.T1218.011Rundll3275 det.T1219Remote Access Tools40 det.T1219.002Remote Desktop Software50 det.T1518Software Discovery17 det.T1518.001Security Software Discovery10 det.T1534Internal Spearphishing193 det.T1547.001Registry Run Keys / Startup Folder53 det.T1548.002Bypass User Account Control84 det.T1552.001Credentials In Files61 det.T1555Credentials from Password Stores40 det.T1555.003Credentials from Web Browsers16 det.T1559.001Component Object Model17 det.T1559.002Dynamic Data Exchange1 det.T1560.001Archive via Utility26 det.T1562.001Disable or Modify Tools311 det.T1566Phishing996 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1567.002Exfiltration to Cloud Storage29 det.T1571Non-Standard Port16 det.T1574.001DLL109 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1588.001Malware2 det.T1588.002Tool13 det.T1685Disable or Modify Tools278 det.