G0003: Cleaver
Analyst context for executives and security teams
Cleaver is an ATT&CK group entry associated in MITRE reporting with Iranian actors and Operation Cleaver, with circumstantial linkage to Threat Group 2889/TG-2889. The useful defensive takeaway is not the name alone: the related ATT&CK relationships point to credential theft, Windows administrative tooling, SMB-based spreading, malware development, and social-media persona development as areas leaders should expect defenders to validate.
Executive priority
Prioritize assurance around identity security and Windows lateral-movement readiness. The relationships to Mimikatz, LSASS memory access, PsExec, and Net Crawler make credential exposure and administrator-tool abuse the main business concerns. Executives should ask whether the organization can prove it collects the logs needed to investigate credential dumping, remote execution, SMB propagation, and suspicious social-engineering preparation, rather than relying on group attribution as the control driver.
Technical view
SOC and IR teams should map coverage around the related behaviors: LSASS credential access on Windows, use or misuse of PsExec, SMB-based movement or brute-force propagation associated with Net Crawler behavior, ARP cache poisoning on local networks, and pre-compromise resource development such as social media personas, malware, and tool acquisition. Because the ATT&CK object has no official detection text and no platforms listed for the group itself, validation should be behavior-led and tied to the related software and techniques rather than the Cleaver name.
Likely telemetry
- Windows endpoint telemetry for process creation, parent-child process relationships, service creation, and command execution
- Security event logs and authentication telemetry for privileged logons, failed logons, and lateral authentication patterns
- Endpoint detections or memory-access telemetry involving LSASS access
- SMB and remote administration activity, including PsExec-like remote service execution
- Network telemetry for unusual ARP behavior or local man-in-the-middle indicators where available
Detection direction
- Validate behavior-based detections for credential dumping and suspicious access to LSASS rather than relying on static tool names alone.
- Tune PsExec detections carefully because it is also a legitimate Microsoft administrative tool; combine execution telemetry with user, host, timing, and change-management context.
- Hunt for SMB propagation patterns, repeated authentication attempts, and remote execution chains consistent with worm-like movement described for Net Crawler.
- Assess whether network monitoring can observe ARP cache poisoning in relevant segments; many environments have limited east-west Layer 2 visibility.
- Use the resource-development relationships as threat-intelligence context for social engineering readiness, not as proof of compromise inside the environment.
Mitigation priorities
- Strengthen privileged access management and reduce standing administrative privileges on Windows systems.
- Harden credential protections around LSASS and validate that endpoint controls alert on suspicious credential access attempts.
- Restrict and monitor remote administration pathways such as PsExec-style service execution and SMB where business requirements allow.
- Apply network segmentation to reduce the blast radius of SMB-based lateral movement.
- Improve account lockout, password hygiene, and monitoring for brute-force or recovered-password use across internal systems.
Analyst notes and limits
This take is based on the supplied ATT&CK group description, aliases, references, and explicit relationships. The group object itself does not list platforms, tactics, or official detection guidance; the Windows and PRE context comes from related software and techniques. Attribution should be treated as MITRE-reported context, not as a basis for assuming current targeting or exposure.
The supplied object does not provide procedure-level details, indicators, timestamps of activity, sector targeting, impact claims, or official detections. Local telemetry, asset criticality, identity architecture, and approved administrative-tool usage are required to determine real coverage and risk.
Cleaver
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.CitationCylance Cleaver |
| Enterprise | T1557.002 | ARP Cache Poisoning Sub-technique | Cleaver has used custom tools to facilitate ARP cache poisoning.CitationCylance Cleaver |
| Enterprise | T1588.002 | Tool Sub-technique | Cleaver has obtained and used open-source tools such as PsExec, Windows Credential Editor, and Mimikatz.CitationCylance Cleaver |
| Enterprise | T1587.001 | Malware Sub-technique | Cleaver has created customized tools and payloads for functions including ARP poisoning, encryption, credential dumping, ASP.NET shells, web backdoors, process enumeration, WMI querying, HTTP and SMB communications, network interface sniffing, and keystroke logging.CitationCylance Cleaver |
| Enterprise | T1585.001 | Social Media Accounts Sub-technique | Cleaver has created fake LinkedIn profiles that included profile photos, details, and connections.CitationDell Threat Group 2889 |
Groups, software, and campaigns
S0056: Net Crawler
Net Crawler is an intranet worm capable of extracting credentials using credential dumpers and spreading to systems on a network over SMB by brute forcing accounts with recovered passwords and using PsExec to execute a copy of Net Crawler. [1]
S0029: PsExec
S0004: TinyZBot
S0002: Mimikatz
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.3 | Current bundle | 25c436a3436d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Cylance Cleaver
Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017.
Open source URL -
[2]
Dell Threat Group 2889
Dell SecureWorks. (2015, October 7). Suspected Iran-Based Hacker Group Creates Network of Fake LinkedIn Profiles. Retrieved January 14, 2016.
Open source URL -
[3]
Cleaver
(Citation: Cylance Cleaver)
-
[4]
TG-2889
(Citation: Dell Threat Group 2889)
-
[5]
Threat Group 2889
(Citation: Dell Threat Group 2889)
-
[6]
mitre-attack G0003Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.