Skip to content

G0003 Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. 1 Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). 2

Item Value
ID G0003
Associated Names Threat Group 2889, TG-2889
Version 1.3
Created 31 May 2017
Last Modified 22 July 2022
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Threat Group 2889 2
TG-2889 2

Techniques Used

Domain ID Name Use
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.002 ARP Cache Poisoning Cleaver has used custom tools to facilitate ARP cache poisoning.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.1
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Cleaver has created fake LinkedIn profiles that included profile photos, details, and connections.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Cleaver has obtained and used open-source tools such as PsExec, Windows Credential Editor, and Mimikatz.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.1

Software

ID Name References Techniques
S0002 Mimikatz 1 SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores LSASS Memory:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSA Secrets:OS Credential Dumping Rogue Domain Controller Steal or Forge Authentication Certificates Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Ticket:Use Alternate Authentication Material Pass the Hash:Use Alternate Authentication Material
S0056 Net Crawler 1 Password Cracking:Brute Force LSASS Memory:OS Credential Dumping SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0029 PsExec 1 Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0004 TinyZBot 1 Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Disable or Modify Tools:Impair Defenses Keylogging:Input Capture Screen Capture

References

  1. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. 

  2. Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.