Description
[Leafminer](https://attack.mitre.org/groups/G0077) is an Iranian threat group that has targeted government organizations and business entities in the Middle East since at least early 2017. (Citation: Symantec Leafminer July 2018)
Techniques Used (TTPs)
- T1027.010 — Command Obfuscation (defense-evasion)
- T1588.002 — Tool (resource-development)
- T1003.001 — LSASS Memory (credential-access)
- T1555 — Credentials from Password Stores (credential-access)
- T1046 — Network Service Discovery (discovery)
- T1003.005 — Cached Domain Credentials (credential-access)
- T1555.003 — Credentials from Web Browsers (credential-access)
- T1552.001 — Credentials In Files (credential-access)
- T1003.004 — LSA Secrets (credential-access)
- T1055.013 — Process Doppelgänging (defense-evasion, privilege-escalation)
- T1189 — Drive-by Compromise (initial-access)
- T1018 — Remote System Discovery (discovery)
- T1110.003 — Password Spraying (credential-access)
- T1136.001 — Local Account (persistence)
- T1059.007 — JavaScript (execution)
- T1114.002 — Remote Email Collection (collection)
- T1083 — File and Directory Discovery (discovery)
Total TTPs: 17
Malware & Tools
Tools: LaZagne, MailSniper, Mimikatz, PsExec