
Iranian Hackers Participate in Papercut Attacks
State-sponsored threat actors named Mint Sandstorm and Mango Sandstorm, both based in Iran, are taking advantage of unpatched PaperCut instances. Microsoft reports that Mango Sandstorm exploitation activity is still minimal, with operators connecting to organizations’ C2 infrastructure using tools from prior intrusions; in contrast, Mint Sandstorm exploitation activity appears opportunistic, affecting businesses across industries and regions.
Indicators of Compromise
Domains (2181)
s224.win7-update.comaspidium.xyzasymmetria.onlineacetobacter.onlinearvalis.xyzd0g3.cachedns.iobetulina.xyzapoxipodes.onlineapaturinae.onlinebibliota.ruadblocked.spacebartion.rukamikirim.my.idachalinus.onlineapidaet.online6b4s.popmonster.rubarosma.xyzbitsbitsc.spaceanisoptera.rubiblidinae.online+2161 moreHashes (2333)
7649c554e87f6ea21ba86bb26ea39521d5d181511670a59f573037142f417fb8c448a9022c8d31a6b2bf93ad77a9db2924b502afc5a737a346e0a83082b924712926af7df5dee1f9cd47dc7bae468da9732c862e00a574057679f60655478bd249d4d31cc7a2a9e020b4bcbfa53b37dea7ebf6943af203b94c24a35c098b774f79d532acc514c3f293f0cb4c23662a5ab962b158cb97580b03a22b82e21fa3b26d64809c2771a533aeb54c0a2746d5c631b3884313b799ec63a30b52f9db73c0c74005dac4a88707bba871a667004a4a27de67852c92da2721466bfbdaff7fedd9f3e8334b688a88ee54d7cab491e1a9df41258f00b5d45433391146ce98cd70a91bef08142b5753c608c65e702e41b52abdeb96cb2f9294e5b00180324a73020f9b890c3ee620a318c537b65273ee897e67fc01ee5fef08c37400cb4ee159580bb3ddeac6d4af21ea63d73857c779269c21c579244a4f81cff4a8dc5872628a4071373501dfa94e11b60f92449445a9660843f7bea0d6aad62f1c339e88252008e3b494e75443a5e825f69c75380b6dc76c6b5061dcf1eeb616104742dd892b89365751df9bb8c5b6a2b4080ac7cf34294d76756f8226d890350943a9ef4cc81598e0e953d8ba9746694c0b7e3d99e418701b39+2313 moreIPv4 (1626)
79.141.165.41139.206.55.24291.121.240.104178.46.94.132150.107.109.240186.91.202.113112.80.123.188176.118.165.76188.212.125.188152.89.160.104109.163.216.153188.163.121.209122.171.125.4134.0.112.11714.191.48.194114.97.242.164182.241.30.163188.225.44.76163.197.34.5045.9.20.101+1606 moreCVEs (11)
CVE-2021-45046CVE-2021-44228CVE-2022-45359CVE-2018-20250CVE-2018-13379CVE-2021-45608CVE-2020-0688CVE-2017-0199CVE-2017-0213CVE-2020-1472CVE-2022-47633APT Groups
MuddyWater
Iran, Islamic Republic of
Notes
<div><font>Papercut is an attack vector used by an attacker to gain unauthorized access to corporate networks and steal information. APT35 (forward persistent threat 35), also known as Charming Kitten or Phosphorus, is a hacker group based in Iran.</font></div><div><font><br></font></div><div><font>APT35 is a cyberespionage group capable of performing advanced and sophisticated targeted attacks. The group carries out attacks against various targets using social engineering, targeted phishing emails, and other advanced techniques.</font></div><div><font><br></font></div><div><font>The Papercut attack begins when APT35 sends specially created malicious documents to targets' email boxes. These documents can often have common file types such as PDF or Word documents. When interested targets click on the document, malicious code or malware is executed to gain unauthorized access to systems.</font></div><div><font><br></font></div><div><font>The targets of the Papercut attack APT35 can include political and military organizations, energy sector companies, telecommunications firms and universities, especially in the Middle East. With these attacks, APT35 attempts to access sensitive information, spy or gather strategic information.</font></div><div><font><br></font></div><div><font>A Papercut attack can be mitigated by taking informed security measures and training staff. It is important to take precautions such as approaching emails carefully, not clicking on files from unknown or suspicious sources, and using up-to-date security software.</font></div>
Mitigation
<div><b style=""><font>MuddyWater</font></b></div><div><font style="">MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, defense, and oil and natural gas organizations, in the Middle East, Asia, Africa, Europe, and North America.[2][3][4][5][6][7][8]</font></div><div><font style=""><br></font></div><div><b style="font-family: Mazzard; color: var(--q-dark);"><font>Associated Group Descriptions</font></b><br></div><div><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-family: Roboto-Regular, sans-serif; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Name</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Description</font></th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font>Earth Vetala</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[9]</font></a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font>MERCURY</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[10]</font></a></span></span></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font>Static Kitten</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font>Seedworm</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font>TEMP.Zagros</font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr></tbody></table><br></div><div><b style=""><font>Techniques Used</font></b><br></div><div><table class="table techniques-used background table-bordered" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-size: 16px;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box; border-bottom: 2px solid rgb(222, 226, 230); background: rgb(242, 242, 242);"><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Domain</font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>ID</font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Name</font></th><th class="p-2" style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Use</font></th></tr></thead><tbody style="box-sizing: border-box;"><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1548</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> uses various techniques to bypass UAC.<span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1087</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used <code style="box-sizing: border-box; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">cmd.exe net user /domain</code> to enumerate domain users.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1583</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1583/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.006</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1583" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Acquire Infrastructure</a>: <a href="https://attack.mitre.org/techniques/T1583/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Services</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used file sharing services including OneHub to distribute tools.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1071</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used HTTP for C2 communications.<span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1560</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1560/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>: <a href="https://attack.mitre.org/techniques/T1560/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive via Utility</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used the native Windows cabinet creation tool, makecab.exe, likely to compress stolen data to be uploaded.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1547</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has added Registry Run key <code style="box-sizing: border-box; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">KCU\Software\Microsoft\Windows\CurrentVersion\Run\SystemTextEncoding</code> to establish persistence.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1059</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used PowerShell for execution.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.003</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used a custom tool for creating reverse shells.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.005</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used VBScript files to execute its <a href="https://attack.mitre.org/software/S0223" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">POWERSTATS</a> payload, as well as macros.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.006</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Python</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used developed tools in Python including <a href="https://attack.mitre.org/software/S0594" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Out1</a>.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.007</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">JavaScript</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used JavaScript files to execute its <a href="https://attack.mitre.org/software/S0223" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">POWERSTATS</a> payload.<span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1555</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Credentials from Password Stores</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has performed credential dumping with <a href="https://attack.mitre.org/software/S0349" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LaZagne</a> and other tools, including by dumping passwords saved in victim email.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.003</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Credentials from Web Browsers</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has run tools including Browser64 to steal passwords saved in victim web browsers.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1132</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used tools to encode C2 communications including Base64 encoding.<span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1074</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Staged</a>: <a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Data Staging</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has stored a decoy PDF file within a victim's <code style="box-sizing: border-box; color: rgb(28, 34, 38); word-break: break-word; background-color: rgb(230, 230, 230); border-radius: 3px; padding: 0px 3px;">%temp%</code> folder.<span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1140</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Deobfuscate/Decode Files or Information</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> decoded base64-encoded PowerShell commands using a VBS file.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-14-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[14]</a></span></span><span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1573</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Symmetric Cryptography</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used AES to encrypt C2 responses.<span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1041</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Exfiltration Over C2 Channel</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used C2 infrastructure to receive exfiltrated data.<span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1190" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1190</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1190" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Exploit Public-Facing Application</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has exploited the Microsoft Exchange memory corruption vulnerability (CVE-2020-0688).<span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1203</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1203" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Exploitation for Client Execution</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has exploited the Office vulnerability CVE-2017-0199 for execution.<span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1210" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1210</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1210" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Exploitation of Remote Services</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has exploited the Microsoft Netlogon vulnerability (CVE-2020-1472).<span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1083</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>File and Directory Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that checked if the ProgramData folder had folders or files with the keywords "Kasper," "Panda," or "ESET."<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1589</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1589/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1589" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Gather Victim Identity Information</a>: <a href="https://attack.mitre.org/techniques/T1589/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Addresses</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has specifically targeted government agency employees with spearphishing e-mails.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1574</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Side-Loading</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> maintains persistence on victim networks through side-loading dlls to trick legitimate programs into running malware.<span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1562</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify Tools</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> can disable the system's local proxy settings.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1105</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Ingress Tool Transfer</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that can upload additional files to the victim’s machine.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1559" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1559</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1559/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1559" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Inter-Process Communication</a>: <a href="https://attack.mitre.org/techniques/T1559/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Component Object Model</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that has the capability to execute malicious code via COM, DCOM, and Outlook.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1559/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1559" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Inter-Process Communication</a>: <a href="https://attack.mitre.org/techniques/T1559/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic Data Exchange</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that can execute PowerShell scripts via DDE.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1036</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.005</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1104" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1104</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1104" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Multi-Stage Channels</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used one C2 to obtain enumeration scripts and monitor web logs, but a different C2 to send data back.<span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1027</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.003</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steganography</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has stored obfuscated JavaScript code in an image file named temp.jpg.<span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.004</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Compile After Delivery</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used the .NET csc.exe tool to compile executables from downloaded C# code.<span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1027/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.010</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command Obfuscation</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-15-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[15]</a></span></span> The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1588</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1588" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obtain Capabilities</a>: <a href="https://attack.mitre.org/techniques/T1588/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Tool</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font>MuddyWater has made use of legitimate tools ConnectWise and Remote Utilities to gain access to target environment.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1137" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1137</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1137/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1137" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Office Application Startup</a>: <a href="https://attack.mitre.org/techniques/T1137/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Office Template Macros</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used a Word Template, Normal.dotm, for persistence.<span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1003</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has performed credential dumping with <a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mimikatz</a> and procdump64.exe.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.004</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has performed credential dumping with <a href="https://attack.mitre.org/software/S0349" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LaZagne</a>.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1003/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.005</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cached Domain Credentials</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has performed credential dumping with <a href="https://attack.mitre.org/software/S0349" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LaZagne</a>.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1566</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Attachment</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span> <span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1566" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Phishing</a>: <a href="https://attack.mitre.org/techniques/T1566/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Spearphishing Link</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has sent targeted spearphishing e-mails with malicious links.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1057</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Process Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware to obtain a list of running processes on the system.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1090</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1090/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">External Proxy</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has controlled <a href="https://attack.mitre.org/software/S0223" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">POWERSTATS</a> from behind a proxy network to obfuscate the C2 location.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span> <a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).<span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1219" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1219</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1219" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Remote Access Software</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used a legitimate application, ScreenConnect, to manage systems remotely and move laterally.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1053</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.005</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used scheduled tasks to establish persistence.<span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1113</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Screen Capture</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that can capture screenshots of the victim’s machine.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1518</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Software Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used a PowerShell backdoor to check for Skype connectivity on the target machine.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Security Software Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1218</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.003</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">CMSTP</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used CMSTP.exe and a malicious INF to execute its <a href="https://attack.mitre.org/software/S0223" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">POWERSTATS</a> payload.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.005</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mshta</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used mshta.exe to execute its <a href="https://attack.mitre.org/software/S0223" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">POWERSTATS</a> payload and to pass a PowerShell one-liner for execution.<span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.011</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1082</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>System Information Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that can collect the victim’s OS version and machine name.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1016</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>System Network Configuration Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware to collect the victim’s IP address and domain name.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1049</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>System Network Connections Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used a PowerShell backdoor to check for Skype connections on the target machine.<span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1033</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>System Owner/User Discovery</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that can collect the victim’s username.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1552</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1552/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials In Files</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has run a tool that steals passwords saved in victim email.<span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1204</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.001</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious Link</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has distributed URLs in phishing e-mails that link to lure documents.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></p></td></tr><tr class="sub technique enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: none; border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial; width: 5ex;"></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.<span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span><span id="scite-ref-8-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[8]</a></span></span></font></p></td></tr><tr class="sub technique noparent enterprise" id="enterprise" style="box-sizing: border-box; border-left: none;"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1102</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>.002</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bidirectional Communication</a></font></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used web services including OneHub to distribute remote access tools.<span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span></font></p></td></tr><tr class="technique enterprise" id="enterprise" style="box-sizing: border-box; border-bottom: 1px solid rgb(223, 223, 223);"><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><font>Enterprise</font></td><td colspan="2" style="box-sizing: border-box; padding: 10px; vertical-align: top; border-top: 1px solid rgb(223, 223, 223); border-right: 1px solid rgb(223, 223, 223); border-bottom: none; border-left: 1px solid rgb(223, 223, 223); border-image: initial;"><a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>T1047</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Windows Management Instrumentation</font></a></td><td style="box-sizing: border-box; padding: 10px; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><p style="box-sizing: border-box; margin-bottom: 0px;"><font><a href="https://attack.mitre.org/groups/G0069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MuddyWater</a> has used malware that leveraged WMI for execution and querying host information.<span id="scite-ref-12-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://securelist.com/muddywater/88059/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[12]</a></span></span><span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span><span id="scite-ref-13-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[13]</a></span></span><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span></font></p></td></tr></tbody></table><div style="box-sizing: border-box; margin-top: 0px; margin-bottom: 0.5rem; line-height: 1.2; color: rgb(57, 67, 76); letter-spacing: normal; padding-top: 1rem !important;"><b style=""><font style="">Software</font></b></div><table class="table table-bordered table-alternate mt-2" style="box-sizing: border-box; border-collapse: collapse; width: 1367.25px; margin-bottom: 1rem; color: rgb(33, 37, 41); border: 1px solid rgb(223, 223, 223); empty-cells: hide; font-size: 16px; margin-top: 0.5rem !important; background-color: rgb(242, 242, 242) !important;"><thead style="box-sizing: border-box;"><tr style="box-sizing: border-box;"><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>ID</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Name</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>References</font></th><th style="box-sizing: border-box; text-align: inherit; padding: 0.6rem; vertical-align: bottom; border-width: 1px 1px 2px; border-style: solid; border-color: rgb(223, 223, 223) rgb(223, 223, 223) rgb(222, 226, 230); border-image: initial;"><font>Techniques</font></th></tr></thead><tbody style="box-sizing: border-box; background: white; color: rgb(57, 67, 76);"><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0591" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0591</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0591" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>ConnectWise</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><span id="scite-ref-10-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.anomali.com/blog/probable-iranian-cyber-actors-static-kitten-conducting-cyberespionage-campaign-targeting-uae-and-kuwait-government-agencies" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[10]</a></span></span><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[9]</a></span></span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1125" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Video Capture</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0488" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0488</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0488" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>CrackMapExec</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1110" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Brute Force</a>, <a href="https://attack.mitre.org/techniques/T1110" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Brute Force</a>: <a href="https://attack.mitre.org/techniques/T1110/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Password Guessing</a>, <a href="https://attack.mitre.org/techniques/T1110" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Brute Force</a>: <a href="https://attack.mitre.org/techniques/T1110/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Password Spraying</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1135" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Discovery</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">NTDS</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1201" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Password Policy Discovery</a>, <a href="https://attack.mitre.org/techniques/T1069" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Permission Groups Discovery</a>: <a href="https://attack.mitre.org/techniques/T1069/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Groups</a>, <a href="https://attack.mitre.org/techniques/T1018" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote System Discovery</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">At</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Hash</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0363" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0363</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0363" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Empire</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[16]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SID-History Injection</a>, <a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Process with Token</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1557" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Adversary-in-the-Middle</a>: <a href="https://attack.mitre.org/techniques/T1557/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LLMNR/NBT-NS Poisoning and SMB Relay</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1560" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Archive Collected Data</a>, <a href="https://attack.mitre.org/techniques/T1119" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Collection</a>, <a href="https://attack.mitre.org/techniques/T1020" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Automated Exfiltration</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Shortcut Modification</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Support Provider</a>, <a href="https://attack.mitre.org/techniques/T1217" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Browser Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1115" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Clipboard Data</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>, <a href="https://attack.mitre.org/techniques/T1136" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Account</a>: <a href="https://attack.mitre.org/techniques/T1136/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Account</a>, <a href="https://attack.mitre.org/techniques/T1136" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create Account</a>: <a href="https://attack.mitre.org/techniques/T1136/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a>, <a href="https://attack.mitre.org/techniques/T1484" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Policy Modification</a>: <a href="https://attack.mitre.org/techniques/T1484/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Group Policy Modification</a>, <a href="https://attack.mitre.org/techniques/T1482" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Trust Discovery</a>, <a href="https://attack.mitre.org/techniques/T1114" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Collection</a>: <a href="https://attack.mitre.org/techniques/T1114/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Email Collection</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1546" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Event Triggered Execution</a>: <a href="https://attack.mitre.org/techniques/T1546/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Accessibility Features</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1567" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Web Service</a>: <a href="https://attack.mitre.org/techniques/T1567/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration to Code Repository</a>, <a href="https://attack.mitre.org/techniques/T1567" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over Web Service</a>: <a href="https://attack.mitre.org/techniques/T1567/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration to Cloud Storage</a>, <a href="https://attack.mitre.org/techniques/T1068" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation for Privilege Escalation</a>, <a href="https://attack.mitre.org/techniques/T1210" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exploitation of Remote Services</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1615" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Group Policy Discovery</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Path Interception by Search Order Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dylib Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Path Interception by Unquoted Path</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Search Order Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Path Interception by PATH Environment Variable</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Timestomp</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credential API Hooking</a>, <a href="https://attack.mitre.org/techniques/T1106" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Native API</a>, <a href="https://attack.mitre.org/techniques/T1046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1135" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Discovery</a>, <a href="https://attack.mitre.org/techniques/T1040" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Sniffing</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command Obfuscation</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Distributed Component Object Model</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SSH</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Kerberoasting</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Silver Ticket</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Golden Ticket</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1049" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Connections Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a>, <a href="https://attack.mitre.org/techniques/T1127" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Trusted Developer Utilities Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1127/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">MSBuild</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials In Files</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Private Keys</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Hash</a>, <a href="https://attack.mitre.org/techniques/T1125" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Video Capture</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bidirectional Communication</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0250" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0250</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0250" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Koadic</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><span id="scite-ref-6-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[6]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1548" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Abuse Elevation Control Mechanism</a>: <a href="https://attack.mitre.org/techniques/T1548/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bypass User Account Control</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1115" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Clipboard Data</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1564" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hide Artifacts</a>: <a href="https://attack.mitre.org/techniques/T1564/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hidden Window</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Service Discovery</a>, <a href="https://attack.mitre.org/techniques/T1135" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Network Share Discovery</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">NTDS</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a>, <a href="https://attack.mitre.org/techniques/T1021" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Services</a>: <a href="https://attack.mitre.org/techniques/T1021/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Remote Desktop Protocol</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Regsvr32</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/011" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rundll32</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mshta</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1569" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Services</a>: <a href="https://attack.mitre.org/techniques/T1569/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Service Execution</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0349" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0349</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0349" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>LaZagne</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keychain</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Credential Manager</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">/etc/passwd and /etc/shadow</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proc Filesystem</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Cached Domain Credentials</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials In Files</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0002</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Mimikatz</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[16]</a></span></span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>: <a href="https://attack.mitre.org/techniques/T1134/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">SID-History Injection</a>, <a href="https://attack.mitre.org/techniques/T1098" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Manipulation</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Support Provider</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Credential Manager</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Web Browsers</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DCSync</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Account Manager</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSA Secrets</a>, <a href="https://attack.mitre.org/techniques/T1207" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Rogue Domain Controller</a>, <a href="https://attack.mitre.org/techniques/T1649" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Authentication Certificates</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Silver Ticket</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Golden Ticket</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Private Keys</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Ticket</a>, <a href="https://attack.mitre.org/techniques/T1550" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Use Alternate Authentication Material</a>: <a href="https://attack.mitre.org/techniques/T1550/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Pass the Hash</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S1047</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Mori</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[7]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DNS</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Obfuscation</a>: <a href="https://attack.mitre.org/techniques/T1001/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Junk Data</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1112" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Modify Registry</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Regsvr32</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0594" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0594</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0594" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Out1</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[9]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1114" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Email Collection</a>: <a href="https://attack.mitre.org/techniques/T1114/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Email Collection</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0194" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0194</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0194" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>PowerSploit</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[16]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1134" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Access Token Manipulation</a>, <a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1123" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Audio Capture</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Support Provider</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1555" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials from Password Stores</a>: <a href="https://attack.mitre.org/techniques/T1555/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Credential Manager</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1482" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Domain Trust Discovery</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Search Order Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/009" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Path Interception by Unquoted Path</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/008" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Path Interception by Search Order Hijacking</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Path Interception by PATH Environment Variable</a>, <a href="https://attack.mitre.org/techniques/T1056" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Input Capture</a>: <a href="https://attack.mitre.org/techniques/T1056/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Keylogging</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal from Tools</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command Obfuscation</a>, <a href="https://attack.mitre.org/techniques/T1003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">OS Credential Dumping</a>: <a href="https://attack.mitre.org/techniques/T1003/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">LSASS Memory</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1055" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Injection</a>: <a href="https://attack.mitre.org/techniques/T1055/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic-link Library Injection</a>, <a href="https://attack.mitre.org/techniques/T1012" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Query Registry</a>, <a href="https://attack.mitre.org/techniques/T1620" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Reflective Code Loading</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1558" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Steal or Forge Kerberos Tickets</a>: <a href="https://attack.mitre.org/techniques/T1558/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Kerberoasting</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Credentials in Registry</a>, <a href="https://attack.mitre.org/techniques/T1552" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Unsecured Credentials</a>: <a href="https://attack.mitre.org/techniques/T1552/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Group Policy Preferences</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0223" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0223</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0223" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>POWERSTATS</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><span id="scite-ref-2-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[2]</a></span></span><span id="scite-ref-11-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[11]</a></span></span><span id="scite-ref-4-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[4]</a></span></span><span id="scite-ref-3-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[3]</a></span></span><span id="scite-ref-5-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[5]</a></span></span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1087" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Account Discovery</a>: <a href="https://attack.mitre.org/techniques/T1087/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Account</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">JavaScript</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1562" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Impair Defenses</a>: <a href="https://attack.mitre.org/techniques/T1562/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Disable or Modify Tools</a>, <a href="https://attack.mitre.org/techniques/T1070" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Indicator Removal</a>: <a href="https://attack.mitre.org/techniques/T1070/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File Deletion</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1559" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Inter-Process Communication</a>: <a href="https://attack.mitre.org/techniques/T1559/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Component Object Model</a>, <a href="https://attack.mitre.org/techniques/T1559" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Inter-Process Communication</a>: <a href="https://attack.mitre.org/techniques/T1559/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Dynamic Data Exchange</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/004" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerade Task or Service</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command Obfuscation</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Binary Padding</a>, <a href="https://attack.mitre.org/techniques/T1057" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Process Discovery</a>, <a href="https://attack.mitre.org/techniques/T1090" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Proxy</a>: <a href="https://attack.mitre.org/techniques/T1090/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">External Proxy</a>, <a href="https://attack.mitre.org/techniques/T1053" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task/Job</a>: <a href="https://attack.mitre.org/techniques/T1053/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Task</a>, <a href="https://attack.mitre.org/techniques/T1029" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Scheduled Transfer</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1518" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Software Discovery</a>: <a href="https://attack.mitre.org/techniques/T1518/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Security Software Discovery</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Mshta</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1047" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Management Instrumentation</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S1046</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1046" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>PowGoop</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[7]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1140" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Deobfuscate/Decode Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>, <a href="https://attack.mitre.org/techniques/T1574" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Hijack Execution Flow</a>: <a href="https://attack.mitre.org/techniques/T1574/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">DLL Side-Loading</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0592" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0592</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0592" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>RemoteUtilities</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-9-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[9]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1083" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">File and Directory Discovery</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1113" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Screen Capture</a>, <a href="https://attack.mitre.org/techniques/T1218" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Binary Proxy Execution</a>: <a href="https://attack.mitre.org/techniques/T1218/007" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Msiexec</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0450" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S0450</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S0450" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>SHARPSTATS</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-16-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[16]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">PowerShell</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>: <a href="https://attack.mitre.org/techniques/T1027/010" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command Obfuscation</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1124" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Time Discovery</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1035" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S1035</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1035" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>Small Sieve</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[7]</a></span></span><span id="scite-ref-17-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.ncsc.gov.uk/files/NCSC-Malware-Analysis-Report-Small-Sieve.pdf" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">[17]</a></span></span></font></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/006" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Python</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Non-Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1573" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Encrypted Channel</a>: <a href="https://attack.mitre.org/techniques/T1573/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Asymmetric Cryptography</a>, <a href="https://attack.mitre.org/techniques/T1480" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Execution Guardrails</a>, <a href="https://attack.mitre.org/techniques/T1105" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Ingress Tool Transfer</a>, <a href="https://attack.mitre.org/techniques/T1036" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Masquerading</a>: <a href="https://attack.mitre.org/techniques/T1036/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Match Legitimate Name or Location</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1102" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Service</a>: <a href="https://attack.mitre.org/techniques/T1102/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Bidirectional Communication</a></font></td></tr><tr style="box-sizing: border-box;"><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1037" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>S1037</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><a href="https://attack.mitre.org/software/S1037" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>STARWHALE</font></a></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><span id="scite-ref-7-a" class="scite-citeref-number" style="box-sizing: border-box;"><span style="box-sizing: border-box; position: relative; line-height: 0; vertical-align: baseline; top: -0.5em;"><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;"><font>[7]</font></a></span></span></td><td style="box-sizing: border-box; padding: 0.75rem; vertical-align: top; border: 1px solid rgb(223, 223, 223);"><font><a href="https://attack.mitre.org/techniques/T1071" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Application Layer Protocol</a>: <a href="https://attack.mitre.org/techniques/T1071/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Web Protocols</a>, <a href="https://attack.mitre.org/techniques/T1547" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Boot or Logon Autostart Execution</a>: <a href="https://attack.mitre.org/techniques/T1547/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Registry Run Keys / Startup Folder</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Command Shell</a>, <a href="https://attack.mitre.org/techniques/T1059" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Command and Scripting Interpreter</a>: <a href="https://attack.mitre.org/techniques/T1059/005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Visual Basic</a>, <a href="https://attack.mitre.org/techniques/T1543" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Create or Modify System Process</a>: <a href="https://attack.mitre.org/techniques/T1543/003" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Windows Service</a>, <a href="https://attack.mitre.org/techniques/T1132" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Encoding</a>: <a href="https://attack.mitre.org/techniques/T1132/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Standard Encoding</a>, <a href="https://attack.mitre.org/techniques/T1005" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data from Local System</a>, <a href="https://attack.mitre.org/techniques/T1074" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Data Staged</a>: <a href="https://attack.mitre.org/techniques/T1074/001" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Local Data Staging</a>, <a href="https://attack.mitre.org/techniques/T1041" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Exfiltration Over C2 Channel</a>, <a href="https://attack.mitre.org/techniques/T1027" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Obfuscated Files or Information</a>, <a href="https://attack.mitre.org/techniques/T1082" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Information Discovery</a>, <a href="https://attack.mitre.org/techniques/T1016" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Network Configuration Discovery</a>, <a href="https://attack.mitre.org/techniques/T1033" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">System Owner/User Discovery</a>, <a href="https://attack.mitre.org/techniques/T1204" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">User Execution</a>: <a href="https://attack.mitre.org/techniques/T1204/002" style="box-sizing: border-box; color: rgb(79, 124, 172); background-color: transparent;">Malicious File</a></font></td></tr></tbody></table></div>