Check out the results from our first round of ATT&CK Evaluations at attackevals.mitre.org!

Leafminer

Leafminer is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. [1]

ID: G0077
Aliases: Leafminer
Version: 1.0

Alias Descriptions

NameDescription
Leafminer[1]

Techniques Used

DomainIDNameUse
EnterpriseT1110Brute ForceLeafminer used a tool called BruteForcer to perform a brute force attack.[1]
EnterpriseT1136Create AccountLeafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[1]
EnterpriseT1003Credential DumpingLeafminer leveraged the tool LaZagne for retrieving login and password information.[1]
EnterpriseT1189Drive-by CompromiseLeafminer has infected victims using watering holes.[1]
EnterpriseT1114Email CollectionLeafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.[1]
EnterpriseT1083File and Directory DiscoveryLeafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.[1]
EnterpriseT1046Network Service ScanningLeafminer scanned network services to search for vulnerabilities in the victim system.[1]
EnterpriseT1027Obfuscated Files or InformationLeafminer obfuscated scripts that were used on victim machines.[1]
EnterpriseT1108Redundant AccessLeafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.[1]
EnterpriseT1018Remote System DiscoveryLeafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.[1]
EnterpriseT1064ScriptingLeafminer infected victims using JavaScript code.[1]

Software

IDNameTechniques
S0002MimikatzAccount Manipulation, Credential Dumping, Credentials in Files, DCShadow, Pass the Hash, Pass the Ticket, Private Keys, Security Support Provider, SID-History Injection
S0029PsExecService Execution, Windows Admin Shares

References