OilRig

OilRigCOBALT GYPSYIRN2APT34Helix KittenEvasive SerpensHazel SandstormEUROPIUMITG13Earth SimnavazCrambusTA452

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that align...

Techniques

Covered

Gaps

97%

Coverage

Coverage74/76

GAPS (2)

T1586.002Email Accounts T1588.003Code Signing Certificates

COVERED (74)

T1003.001LSASS Memory105 det.T1003.004LSA Secrets16 det.T1003.005Cached Domain Credentials11 det.T1005Data from Local System46 det.T1007System Service Discovery11 det.T1008Fallback Channels5 det.T1012Query Registry22 det.T1016System Network Configuration Discovery35 det.T1021.001Remote Desktop Protocol51 det.T1021.004SSH31 det.T1025Data from Removable Media3 det.T1027.005Indicator Removal from Tools6 det.T1027.013Encrypted/Encoded File7 det.T1033System Owner/User Discovery59 det.T1036Masquerading493 det.T1036.005Match Legitimate Resource Name or Location44 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol20 det.T1049System Network Connections Discovery21 det.T1053.005Scheduled Task82 det.T1056.001Keylogging4 det.T1057Process Discovery18 det.T1059Command and Scripting Interpreter462 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1068Exploitation for Privilege Escalation91 det.T1069.001Local Groups35 det.T1069.002Domain Groups42 det.T1070.004File Deletion40 det.T1071.001Web Protocols74 det.T1071.004DNS31 det.T1078Valid Accounts252 det.T1078.002Domain Accounts26 det.T1082System Information Discovery80 det.T1087.001Local Account32 det.T1087.002Domain Account55 det.T1105Ingress Tool Transfer170 det.T1110Brute Force85 det.T1112Modify Registry197 det.T1113Screen Capture17 det.T1115Clipboard Data15 det.T1119Automated Collection11 det.T1120Peripheral Device Discovery4 det.T1133External Remote Services72 det.T1137.004Outlook Home Page1 det.T1140Deobfuscate/Decode Files or Information55 det.T1195Supply Chain Compromise40 det.T1201Password Policy Discovery17 det.T1203Exploitation for Client Execution71 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1218.001Compiled HTML File13 det.T1219Remote Access Tools33 det.T1497.001System Checks6 det.T1505.003Web Shell57 det.T1543.003Windows Service79 det.T1552.001Credentials In Files53 det.T1553.002Code Signing3 det.T1555Credentials from Password Stores38 det.T1555.003Credentials from Web Browsers15 det.T1555.004Windows Credential Manager8 det.T1556.002Password Filter DLL3 det.T1562.004Disable or Modify System Firewall45 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1566.003Spearphishing via Service85 det.T1572Protocol Tunneling51 det.T1573.002Asymmetric Cryptography6 det.T1583.001Domains61 det.T1587.001Malware9 det.T1588.002Tool13 det.T1608.001Upload Malware2 det.