Mapping To Cleaver

Cleaver is a threat group that has been attributed to Iranian actors and is responsible for activity tracked as Operation Cleaver. Strong circumstantial evidence suggests Cleaver is linked to Threat Group 2889 (TG-2889).


Disclaimer: We present this mapping to stimulate thinking about active defense options to combat this adversary, not to present all possibilities. We invite you to use this as a guide and add your own use cases for applying Shield techniques to counter each adversary action.

Note: All ATT&CK Group sub-technique mappings have been remapped to their parent technique and were derived from Group Technique mappings in ATT&CK v8.

Details
ATT&CK ID: G0003
Associated Groups:  Cleaver, Threat Group 2889, TG-2889
Note:  This page uses Adversary Group data from MITRE ATT&CK.
ATT&CK Technique Opportunity Space AD Technique Use Case
T1003 - OS Credential Dumping There is an opportunity to deploy a tripwire that triggers an alert when an adversary touches a network resource or uses a specific technique. DTE0012 - Decoy Credentials A defender can seed systems with decoy credentials in a variety of locations and establish alerting that will trigger if an adversary harvests the credentials and attempts to use them.
T1557 - Man-in-the-Middle There is an opportunity to monitor network traffic for different protocols, anomalous traffic patterns, transfer of data, etc. to determine the presence of an adversary. DTE0027 - Network Monitoring A defender can monitor network traffic for anomalies associated with known MiTM behavior.
T1585 - Establish Accounts Users trained and encouraged to report phishing can detect attacks that other defenses do not. DTE0035 - User Training A program to train and exercise the anti-phishing skills of users can create "Human Sensors" that help detect phishing attacks.