Skip to content

G0003 Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. 1 Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). 2

Item Value
ID G0003
Associated Names Threat Group 2889, TG-2889
Version 1.3
Created 31 May 2017
Last Modified 12 October 2021
Navigation Layer View In ATT&CK® Navigator

Associated Group Descriptions

Name Description
Threat Group 2889 2
TG-2889 2

Techniques Used

Domain ID Name Use
enterprise T1557 Adversary-in-the-Middle -
enterprise T1557.002 ARP Cache Poisoning Cleaver has used custom tools to facilitate ARP cache poisoning.1
enterprise T1587 Develop Capabilities -
enterprise T1587.001 Malware Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.1
enterprise T1585 Establish Accounts -
enterprise T1585.001 Social Media Accounts Cleaver has created fake LinkedIn profiles that included profile photos, details, and connections.2
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool Cleaver has obtained and used open-source tools such as PsExec, Windows Credential Editor, and Mimikatz.1
enterprise T1003 OS Credential Dumping -
enterprise T1003.001 LSASS Memory Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.1


ID Name References Techniques
S0002 Mimikatz - SID-History Injection:Access Token Manipulation Account Manipulation Security Support Provider:Boot or Logon Autostart Execution Credentials from Password Stores Credentials from Web Browsers:Credentials from Password Stores Windows Credential Manager:Credentials from Password Stores LSA Secrets:OS Credential Dumping DCSync:OS Credential Dumping Security Account Manager:OS Credential Dumping LSASS Memory:OS Credential Dumping Rogue Domain Controller Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Pass the Ticket:Use Alternate Authentication Material
S0056 Net Crawler - Password Cracking:Brute Force LSASS Memory:OS Credential Dumping SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0029 PsExec - Domain Account:Create Account Windows Service:Create or Modify System Process Lateral Tool Transfer SMB/Windows Admin Shares:Remote Services Service Execution:System Services
S0004 TinyZBot - Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Shortcut Modification:Boot or Logon Autostart Execution Clipboard Data Windows Command Shell:Command and Scripting Interpreter Windows Service:Create or Modify System Process Disable or Modify Tools:Impair Defenses Keylogging:Input Capture Screen Capture


Back to top