G0077: Leafminer
Analyst context for executives and security teams
Leafminer is documented by ATT&CK as an Iranian threat group targeting government organizations and business entities in the Middle East since at least early 2017. The decision value is its related behavior pattern: credential theft, password spraying, remote email collection, discovery, local account creation, and use of publicly available tools such as Mimikatz, PsExec, LaZagne, and MailSniper. For leaders, this makes identity security, email visibility, and Windows credential protection central to resilience planning.
Executive priority
Prioritize Leafminer as a scenario for validating whether the organization can detect and respond to credential-led intrusion activity before it becomes broad mailbox access, lateral movement, or persistence. It is especially relevant for risk owners with Middle East government or business exposure, and for audit/compliance teams that need evidence of identity monitoring, privileged access controls, email access logging, and incident response readiness.
Technical view
ATT&CK provides no official detection text for Leafminer, so SOC and detection teams should pivot from the relationships. Validate coverage for Windows credential access involving LSASS memory, LSA secrets, cached domain credentials, credentials in files, browser/password stores, and open-source credential tools. Also validate detections for password spraying, remote email collection using Exchange/Office Suite activity, PsExec-style remote execution, JavaScript execution, command obfuscation, process doppelgänging, network and remote system discovery, file/directory discovery, and local account creation. Treat administrative tools carefully: PsExec and MailSniper-like behavior may be legitimate in some environments, so detection should combine tool execution, account context, host role, command line, authentication patterns, and mailbox access scope.
Likely telemetry
- Identity provider and authentication logs showing failed and successful login patterns consistent with password spraying
- Windows endpoint telemetry for process creation, command-line arguments, script execution, parent-child process relationships, and suspicious access to LSASS
- Windows security and registry-related telemetry relevant to LSA secrets, cached credentials, local account creation, and administrative logons
- Endpoint file access telemetry for credential files, browser credential stores, password stores, and unusual directory enumeration
- Email platform audit logs for Exchange, Office 365, or Google Workspace mailbox access and search activity, especially broad or automated access
Detection direction
- Because ATT&CK lists no official Leafminer detection guidance, build analytics from the related software and techniques rather than from the group description alone.
- Correlate credential access alerts with subsequent authentication, mailbox access, remote execution, or discovery activity to distinguish isolated tool execution from intrusion progression.
- Tune password spraying detection around many accounts receiving a small set of password attempts, while accounting for legitimate failed-login bursts from misconfigured services or user behavior.
- Monitor email collection by looking for unusual mailbox searches, access to many mailboxes, nonstandard client activity, or access inconsistent with the user role; baseline administrators separately.
- Treat PsExec, MailSniper, Mimikatz, and LaZagne as dual-use or publicly available tooling where applicable; reduce false positives by tying detections to unauthorized hosts, unusual users, rare command lines, and post-compromise sequencing.
Mitigation priorities
- Start with identity controls: enforce strong authentication, monitor password spraying, reduce password reuse, and review exposure of externally accessible authentication surfaces.
- Harden credential storage and privileged access: limit administrative rights, reduce insecure credentials in files or password stores, and validate controls around LSASS and local security material.
- Strengthen email security operations: enable mailbox audit logging, restrict administrative mailbox search capability, and review access patterns for Exchange or cloud email services.
- Control and monitor administrative tools such as PsExec and similar remote execution utilities; allow them only where operationally required and with accountable administrative use.
- Improve endpoint and network visibility for discovery, local account creation, script execution, and suspicious process behavior before relying on any single signature or tool name.
Analyst notes and limits
This take is based on the ATT&CK group object for Leafminer, its aliases Leafminer and Raspite, external references from Symantec and Dragos, and the supplied ATT&CK relationships. The strongest practical theme is credential-centric intrusion activity with email collection and discovery, supported by relationships to credential dumping, password spraying, MailSniper, Mimikatz, LaZagne, PsExec, and related techniques.
The Leafminer object does not specify platforms or tactics directly and provides no official detection text. Platform and tactic guidance in this take comes from the supplied related software and techniques, not from a direct group-level platform declaration. Local environment baselines, authorized admin-tool usage, identity architecture, and email platform logging are required to determine actual exposure or coverage.
Leafminer
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Leafminer obfuscated scripts that were used on victim machines.CitationSymantec Leafminer July 2018 |
| Enterprise | T1588.002 | Tool Sub-technique | Leafminer has obtained and used tools such as LaZagne, Mimikatz, PsExec, and MailSniper.CitationSymantec Leafminer July 2018 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | Leafminer used several tools for retrieving login and password information, including LaZagne and Mimikatz.CitationSymantec Leafminer July 2018 |
| Enterprise | T1555 | Credentials from Password Stores | Leafminer used several tools for retrieving login and password information, including LaZagne.CitationSymantec Leafminer July 2018 |
| Enterprise | T1046 | Network Service Discovery | Leafminer scanned network services to search for vulnerabilities in the victim system.CitationSymantec Leafminer July 2018 |
| Enterprise | T1003.005 | Cached Domain Credentials Sub-technique | Leafminer used several tools for retrieving login and password information, including LaZagne.CitationSymantec Leafminer July 2018 |
| Enterprise | T1555.003 | Credentials from Web Browsers Sub-technique | Leafminer used several tools for retrieving login and password information, including LaZagne.CitationSymantec Leafminer July 2018 |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | Leafminer used several tools for retrieving login and password information, including LaZagne.CitationSymantec Leafminer July 2018 |
| Enterprise | T1003.004 | LSA Secrets Sub-technique | Leafminer used several tools for retrieving login and password information, including LaZagne.CitationSymantec Leafminer July 2018 |
| Enterprise | T1055.013 | Process Doppelgänging Sub-technique | Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.CitationSymantec Leafminer July 2018 |
| Enterprise | T1189 | Drive-by Compromise | Leafminer has infected victims using watering holes.CitationSymantec Leafminer July 2018 |
| Enterprise | T1018 | Remote System Discovery | Leafminer used Microsoft’s Sysinternals tools to gather detailed information about remote systems.CitationSymantec Leafminer July 2018 |
| Enterprise | T1110.003 | Password Spraying Sub-technique | Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.CitationSymantec Leafminer July 2018 |
| Enterprise | T1136.001 | Local Account Sub-technique | Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.CitationSymantec Leafminer July 2018 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Leafminer infected victims using JavaScript code.CitationSymantec Leafminer July 2018 |
| Enterprise | T1114.002 | Remote Email Collection Sub-technique | Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.CitationSymantec Leafminer July 2018 |
| Enterprise | T1083 | File and Directory Discovery | Leafminer used a tool called MailSniper to search for files on the desktop and another utility called Sobolsoft to extract attachments from EML files.CitationSymantec Leafminer July 2018 |
Groups, software, and campaigns
S0349: LaZagne
S0002: Mimikatz
S0413: MailSniper
MailSniper is a penetration testing tool for searching through email in a Microsoft Exchange environment for specific terms (passwords, insider intel, network architecture information, etc.). It can be used by a non-administrative user to search their own email, or by an Exchange administrator to search the mailboxes of every user in a domain.[1]
S0029: PsExec
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.4 | Current bundle | 5fe929e5be0d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Symantec Leafminer July 2018
Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018.
Open source URL -
[2]
Dragos Raspite Aug 2018
Dragos, Inc. (2018, August 2). RASPITE. Retrieved November 26, 2018.
Open source URL -
[3]
Leafminer
(Citation: Symantec Leafminer July 2018)
-
[4]
Raspite
(Citation: Dragos Raspite Aug 2018)
-
[5]
mitre-attack G0077Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.