Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)

Stealth Falcon is a threat group that has conducted targeted spyware attacks against Emirati journalists, activists, and dissidents since at least 2012. Circumstantial evidence suggests there could be a link between this group and the United Arab Emirates (UAE) government, but that has not been confirmed. (Citation: Citizen Lab Stealth Falcon May 2016)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Stealth Falcon (dab75e38-6969-4e78-9304-dc269c3cbcf0)	Threat Actor	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	1
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	1
Stealth Falcon - G0038 (894aab42-3371-47b1-8859-a4a074c804c8)	Intrusion Set	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	1
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2