Group description: Cleaver

Cleaver, Threat Group 2889, TG-2889, Group G0003 | MITRE ATT&CK® ATT&CK v19 will be released April 28th! Check out this blog post for information on the planned deprecation of Enterprise's Defense Evasion tactic in the upcoming release. Home Groups Cleaver Cleaver Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. [1] Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889). [2] ID: G0003 ⓘ Associated Groups : Threat Group 2889, TG-2889 Version : 1.3 Created: 31 May 2017 Last Modified: 16 April 2025 Version Permalink Live Version Associated Group Descriptions Name Description Threat Group 2889 [2] TG-2889 [2] ATT&CK ® Navigator Layers Enterprise Layer download view Techniques Used Domain ID Name Use Enterprise T1557 .002 Adversary-in-the-Middle : ARP Cache Poisoning Cleaver has used custom tools to facilitate ARP cache poisoning. [1] Enterprise T1587 .001 Develop Capabilities : Malware Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging. [1] Enterprise T1585 .001 Establish Accounts : Social Media Accounts Cleaver has created fake LinkedIn profiles that included profile photos, details, and connections. [2] Enterprise T1588 .002 Obtain Capabilities : Tool Cleaver has obtained and used open-source tools such as PsExec , Windows Credential Editor , and Mimikatz . [1] Enterprise T1003 .001 OS Credential Dumping : LSASS Memory Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor. [1] Software ID Name References Techniques S0002 Mimikatz [1] Access Token Manipulation : SID-History Injection , Account Manipulation , Boot or Logon Autostart Execution : Security Support Provider , Credentials from Password Stores , Credentials from Password Stores : Credentials from Web Browsers , Credentials from Password Stores : Windows Credential Manager , OS Credential Dumping : DCSync , OS Credential Dumping : Security Account Manager , OS Credential Dumping : LSASS Memory , OS Credential Dumping : LSA Secrets , Rogue Domain Controller , Steal or Forge Authentication Certificates , Steal or Forge Kerberos Tickets : Golden Ticket , Steal or Forge Kerberos Tickets : Silver Ticket , Unsecured Credentials : Private Keys , Use Alternate Authentication Material : Pass the Hash , Use Alternate Authentication Material : Pass the Ticket S0056 Net Crawler [1] Brute Force : Password Cracking , OS Credential Dumping : LSASS Memory , Remote Services : SMB/Windows Admin Shares , System Services : Service Execution S0029 PsExec [1] Create Account : Domain Account , Create or Modify System Process : Windows Service , Lateral Tool Transfer , Remote Services : SMB/Windows Admin Shares , System Services : Service Execution S0004 TinyZBot [1] Boot or Logon Autostart Execution : Shortcut Modification , Boot or Logon Autostart Execution : Registry Run Keys / Startup Folder , Clipboard Data , Command and Scripting Interpreter : Windows Command Shell , Create or Modify System Process : Windows Service , Impair Defenses : Disable or Modify Tools , Input Capture : Keylogging , Screen Capture References Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016. × load more results