MuddyWater

MuddyWaterEarth VetalaMERCURYStatic KittenSeedwormTEMP.ZagrosMango SandstormTA450

[MuddyWater](https://attack.mitre.org/groups/G0069) is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).(Citation: CYBERCOM Iranian Intel Cyber January 2022) Since at least 2017, [MuddyWater](https://attack.mitre.org/groups/G0069) has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.(Citation: Unit 42 MuddyWater Nov 2017)(Citation: Symantec MuddyW...

Techniques

Covered

Gaps

97%

Coverage

Coverage56/58

GAPS (2)

T1104Multi-Stage Channels T1573.001Symmetric Cryptography

COVERED (56)

T1003.001LSASS Memory105 det.T1003.004LSA Secrets16 det.T1003.005Cached Domain Credentials11 det.T1016System Network Configuration Discovery35 det.T1027.003Steganography5 det.T1027.004Compile After Delivery9 det.T1027.010Command Obfuscation31 det.T1033System Owner/User Discovery59 det.T1036.005Match Legitimate Resource Name or Location44 det.T1041Exfiltration Over C2 Channel30 det.T1047Windows Management Instrumentation85 det.T1049System Network Connections Discovery21 det.T1053.005Scheduled Task82 det.T1057Process Discovery18 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1059.006Python43 det.T1059.007JavaScript58 det.T1071.001Web Protocols74 det.T1074.001Local Data Staging10 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1087.002Domain Account55 det.T1090.002External Proxy6 det.T1102.002Bidirectional Communication14 det.T1105Ingress Tool Transfer170 det.T1113Screen Capture17 det.T1132.001Standard Encoding5 det.T1137.001Office Template Macros1 det.T1140Deobfuscate/Decode Files or Information55 det.T1190Exploit Public-Facing Application208 det.T1203Exploitation for Client Execution71 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1210Exploitation of Remote Services33 det.T1218.003CMSTP21 det.T1218.005Mshta46 det.T1218.011Rundll3273 det.T1219Remote Access Tools33 det.T1518Software Discovery15 det.T1518.001Security Software Discovery8 det.T1547.001Registry Run Keys / Startup Folder50 det.T1548.002Bypass User Account Control83 det.T1552.001Credentials In Files53 det.T1555Credentials from Password Stores38 det.T1555.003Credentials from Web Browsers15 det.T1559.001Component Object Model16 det.T1559.002Dynamic Data Exchange1 det.T1560.001Archive via Utility24 det.T1562.001Disable or Modify Tools300 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1574.001DLL106 det.T1583.006Web Services1 det.T1588.002Tool13 det.