OilRig

OilRigCOBALT GYPSYIRN2APT34Helix KittenEvasive SerpensHazel SandstormEUROPIUMITG13Earth SimnavazCrambusTA452

[OilRig](https://attack.mitre.org/groups/G0049) is a suspected Iranian threat group that has targeted Middle Eastern and international victims since at least 2014. The group has targeted a variety of sectors, including financial, government, energy, chemical, and telecommunications. It appears the group carries out supply chain attacks, leveraging the trust relationship between organizations to attack their primary targets. The group works on behalf of the Iranian government based on infrastructure details that contain references to Iran, use of Iranian infrastructure, and targeting that align...

Techniques

Covered

Gaps

97%

Coverage

Coverage75/77

GAPS (2)

T1586.002Email Accounts T1588.003Code Signing Certificates

COVERED (75)

T1003.001LSASS Memory111 det.T1003.004LSA Secrets18 det.T1003.005Cached Domain Credentials12 det.T1005Data from Local System47 det.T1007System Service Discovery15 det.T1008Fallback Channels5 det.T1012Query Registry24 det.T1016System Network Configuration Discovery39 det.T1021.001Remote Desktop Protocol53 det.T1021.004SSH34 det.T1025Data from Removable Media3 det.T1027.005Indicator Removal from Tools6 det.T1027.013Encrypted/Encoded File8 det.T1033System Owner/User Discovery61 det.T1036Masquerading525 det.T1036.005Match Legitimate Resource Name or Location44 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol21 det.T1049System Network Connections Discovery22 det.T1053.005Scheduled Task99 det.T1056.001Keylogging4 det.T1057Process Discovery20 det.T1059Command and Scripting Interpreter486 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1068Exploitation for Privilege Escalation99 det.T1069.001Local Groups37 det.T1069.002Domain Groups44 det.T1070.004File Deletion42 det.T1071.001Web Protocols80 det.T1071.004DNS34 det.T1078Valid Accounts280 det.T1078.002Domain Accounts28 det.T1082System Information Discovery86 det.T1087.001Local Account33 det.T1087.002Domain Account57 det.T1105Ingress Tool Transfer183 det.T1110Brute Force90 det.T1112Modify Registry203 det.T1113Screen Capture18 det.T1115Clipboard Data16 det.T1119Automated Collection12 det.T1120Peripheral Device Discovery4 det.T1133External Remote Services72 det.T1137.004Outlook Home Page1 det.T1140Deobfuscate/Decode Files or Information58 det.T1195Supply Chain Compromise40 det.T1201Password Policy Discovery20 det.T1203Exploitation for Client Execution75 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1218.001Compiled HTML File14 det.T1219Remote Access Tools40 det.T1497.001System Checks6 det.T1505.003Web Shell63 det.T1543.003Windows Service79 det.T1552.001Credentials In Files61 det.T1553.002Code Signing3 det.T1555Credentials from Password Stores40 det.T1555.003Credentials from Web Browsers16 det.T1555.004Windows Credential Manager9 det.T1556.002Password Filter DLL3 det.T1562.004Disable or Modify System Firewall48 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1566.003Spearphishing via Service88 det.T1572Protocol Tunneling56 det.T1573.002Asymmetric Cryptography6 det.T1583.001Domains61 det.T1587.001Malware10 det.T1588.002Tool13 det.T1608.001Upload Malware3 det.T1686.003Windows Host Firewall20 det.