1. Home
  2. Groups
  3. Cleaver

Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [1] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [2]

ID: G0003
Associated Groups: Threat Group 2889, TG-2889
Version: 1.3
Created: 31 May 2017
Last Modified: 22 July 2022

Associated Group Descriptions

Name Description
Threat Group 2889

[2]
TG-2889

[2]
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1557 .002 中间人攻击: ARP Cache Poisoning

Cleaver has used custom tools to facilitate ARP cache poisoning.[1]
Enterprise T1585 .001 建立账户: Social Media Accounts

Cleaver has created fake LinkedIn profiles that included profile photos, details, and connections.[2]
Enterprise T1587 .001 开发能力: Malware

Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.[1]
Enterprise T1003 .001 操作系统凭证转储: LSASS Memory

Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.[1]
Enterprise T1588 .002 获取能力: Tool

Cleaver has obtained and used open-source tools such as PsExec, Windows Credential Editor, and Mimikatz.[1]

Software

ID Name References Techniques
S0002 Mimikatz [1] 从密码存储中获取凭证, 从密码存储中获取凭证: Credentials from Web Browsers, 从密码存储中获取凭证: Windows Credential Manager, 伪造域控制器, 使用备用认证材料: Pass the Hash, 使用备用认证材料: Pass the Ticket, 启动或登录自动启动执行: Security Support Provider, 操作系统凭证转储: DCSync, 操作系统凭证转储: Security Account Manager, 操作系统凭证转储: LSASS Memory, 操作系统凭证转储: LSA Secrets, 未加密凭证: Private Keys, 窃取或伪造Kerberos票据: Golden Ticket, 窃取或伪造Kerberos票据: Silver Ticket, 窃取或伪造身份认证证书, 访问令牌操控: SID-History Injection, 账号操控
S0056 Net Crawler [1] 操作系统凭证转储: LSASS Memory, 暴力破解: Password Cracking, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0029 PsExec [1] 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares
S0004 TinyZBot [1] 创建或修改系统进程: Windows Service, 剪贴板数据, 启动或登录自动启动执行: Shortcut Modification, 启动或登录自动启动执行: Registry Run Keys / Startup Folder, 命令与脚本解释器: Windows Command Shell, 妨碍防御: Disable or Modify Tools, 屏幕捕获, 输入捕获: Keylogging

References

  1. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  1. Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.