EXPLORE
← Back to Actors

OilRig

OilRigCOBALT GYPSYIRN2APT34Helix KittenEvasive SerpensHazel SandstormEUROPIUMITG13Earth SimnavazCrambusTA452

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that align...

77
Techniques
75
Covered
2
Gaps
97%
Coverage
Coverage75/77

COVERED (75)

T1003.001LSASS Memory111 det.T1003.004LSA Secrets18 det.T1003.005Cached Domain Credentials12 det.T1005Data from Local System47 det.T1007System Service Discovery15 det.T1008Fallback Channels5 det.T1012Query Registry25 det.T1016System Network Configuration Discovery40 det.T1021.001Remote Desktop Protocol53 det.T1021.004SSH35 det.T1025Data from Removable Media3 det.T1027.005Indicator Removal from Tools6 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036Masquerading572 det.T1036.005Match Legitimate Resource Name or Location45 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation88 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol22 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task100 det.T1056.001Keylogging4 det.T1057Process Discovery21 det.T1059Command and Scripting Interpreter514 det.T1059.001PowerShell372 det.T1059.003Windows Command Shell83 det.T1059.005Visual Basic69 det.T1068Exploitation for Privilege Escalation99 det.T1069.001Local Groups37 det.T1069.002Domain Groups44 det.T1070.004File Deletion43 det.T1071.001Web Protocols81 det.T1071.004DNS35 det.T1078Valid Accounts297 det.T1078.002Domain Accounts28 det.T1082System Information Discovery86 det.T1087.001Local Account33 det.T1087.002Domain Account57 det.T1105Ingress Tool Transfer184 det.T1110Brute Force90 det.T1112Modify Registry203 det.T1113Screen Capture18 det.T1115Clipboard Data16 det.T1119Automated Collection12 det.T1120Peripheral Device Discovery4 det.T1133External Remote Services74 det.T1137.004Outlook Home Page1 det.T1140Deobfuscate/Decode Files or Information58 det.T1195Supply Chain Compromise40 det.T1201Password Policy Discovery20 det.T1203Exploitation for Client Execution79 det.T1204.001Malicious Link11 det.T1204.002Malicious File441 det.T1218.001Compiled HTML File14 det.T1219Remote Access Tools42 det.T1497.001System Checks6 det.T1505.003Web Shell65 det.T1543.003Windows Service79 det.T1552.001Credentials In Files61 det.T1553.002Code Signing4 det.T1555Credentials from Password Stores41 det.T1555.003Credentials from Web Browsers16 det.T1555.004Windows Credential Manager9 det.T1556.002Password Filter DLL3 det.T1562.004Disable or Modify System Firewall48 det.T1566.001Spearphishing Attachment979 det.T1566.002Spearphishing Link1005 det.T1566.003Spearphishing via Service96 det.T1572Protocol Tunneling59 det.T1573.002Asymmetric Cryptography6 det.T1583.001Domains62 det.T1587.001Malware10 det.T1588.002Tool13 det.T1608.001Upload Malware3 det.T1686.003Windows Host Firewall20 det.