G0064 · 32 ATT&CK techniques · 1 correlated reports

APT33

Aliases: HOLMIUM, Elfin, Peach Sandstorm

APT33 is a suspected Iranian threat group that has carried out operations since at least 2013. The group has targeted organizations across multiple industries in the United States, Saudi Arabia, and South Korea, with a particular interest in the aviation and energy sectors.

Open interactive actor investigation

ATT&CK techniques

T1552.001
Credentials In Files T1003.005
Cached Domain Credentials T1560.001
Archive via Utility T1555.003
Credentials from Web Browsers T1552.006
Group Policy Preferences T1027.013
Encrypted/Encoded File T1566.001
Spearphishing Attachment T1003.001
LSASS Memory T1566.002
Spearphishing Link T1110.003
Password Spraying T1003.004
LSA Secrets T1053.005
Scheduled Task T1555
Credentials from Password Stores T1546.003
Windows Management Instrumentation Event Subscription T1105
Ingress Tool Transfer T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol T1588.002
Tool T1040
Network Sniffing T1071.001
Web Protocols T1059.001
PowerShell T1547.001
Registry Run Keys / Startup Folder T1078
Valid Accounts T1573.001
Symmetric Cryptography T1059.005
Visual Basic T1132.001
Standard Encoding T1571
Non-Standard Port T1078.004
Cloud Accounts T1203
Exploitation for Client Execution T1204.002
Malicious File T1204.001
Malicious Link T1068
Exploitation for Privilege Escalation T1480
Execution Guardrails

Correlated CTI and IR reports

Israel Government Threat Actors CTI: Evidentiary Foundation Intake
Israel Threat Actors CTI · explicit report mention

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research