Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа Leafminer
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
Leafminer
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)
ID: G0077
Associated Groups: Raspite
Version: 2.3
Created: 17 Oct 2018
Last Modified: 12 Oct 2021

Associated Group Descriptions
Name Description
Raspite (Citation: Dragos Raspite Aug 2018)

Techniques Used
Domain ID Name Use
Enterprise T1110 .003 Brute Force: Password Spraying

Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.(Citation: Symantec Leafminer July 2018)
Enterprise T1059 .007 Command and Scripting Interpreter: JavaScript

Leafminer infected victims using JavaScript code.(Citation: Symantec Leafminer July 2018)
Enterprise T1136 .001 Create Account: Local Account

Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.(Citation: Symantec Leafminer July 2018)
Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

Leafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)
Enterprise T1114 .002 Email Collection: Remote Email Collection

Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.(Citation: Symantec Leafminer July 2018)
Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.(Citation: Symantec Leafminer July 2018)
.004 OS Credential Dumping: LSA Secrets

Leafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)

.005 OS Credential Dumping: Cached Domain Credentials

Leafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)

Enterprise T1588 .002 Obtain Capabilities: Tool

Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.(Citation: Symantec Leafminer July 2018)
Enterprise T1055 .013 Process Injection: Process Doppelgänging

Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.(Citation: Symantec Leafminer July 2018)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Leafminer used several tools for retrieving login and password information, including LaZagne.(Citation: Symantec Leafminer July 2018)

Software
ID Name References Techniques
S0413 MailSniper (Citation: GitHub MailSniper) (Citation: Symantec Leafminer July 2018) Remote Email Collection, Password Spraying, Email Account
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Symantec Leafminer July 2018) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0349 LaZagne (Citation: GitHub LaZagne Dec 2018) (Citation: Symantec Leafminer July 2018) Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec Leafminer July 2018) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
  2. Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.