Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Cleaver
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Cleaver
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. (Citation: Cylance Cleaver) Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). (Citation: Dell Threat Group 2889)
ID: G0003
Associated Groups: Threat Group 2889, TG-2889
Version: 1.3
Created: 31 May 2017
Last Modified: 22 Jul 2022

Associated Group Descriptions
Name Description
Threat Group 2889 (Citation: Dell Threat Group 2889)
TG-2889 (Citation: Dell Threat Group 2889)

Techniques Used
Domain ID Name Use
Enterprise T1557 .002 Adversary-in-the-Middle: ARP Cache Poisoning

Cleaver has used custom tools to facilitate ARP cache poisoning.(Citation: Cylance Cleaver)
Enterprise T1587 .001 Develop Capabilities: Malware

Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.(Citation: Cylance Cleaver)
Enterprise T1585 .001 Establish Accounts: Social Media Accounts

Cleaver has created fake LinkedIn profiles that included profile photos, details, and connections.(Citation: Dell Threat Group 2889)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.(Citation: Cylance Cleaver)
Enterprise T1588 .002 Obtain Capabilities: Tool

Cleaver has obtained and used open-source tools such as PsExec, Windows Credential Editor, and Mimikatz.(Citation: Cylance Cleaver)

Software
ID Name References Techniques
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Cylance Cleaver) (Citation: Deply Mimikatz) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0004 TinyZBot (Citation: Cylance Cleaver) Clipboard Data, Screen Capture, Shortcut Modification, Windows Service, Registry Run Keys / Startup Folder, Disable or Modify Tools, Keylogging, Windows Command Shell
S0056 Net Crawler (Citation: Cylance Cleaver) Password Cracking, Service Execution, LSASS Memory, SMB/Windows Admin Shares
S0029 PsExec (Citation: Cylance Cleaver) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
  2. Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.