high_confidence
Leviathan Australian Intrusions
[Leviathan Australian Intrusions](https://attack.mitre.org/campaigns/C0049) consisted of at least two long-term intrusions against victims in Australia by [Leviathan](https://attack.mitre.org/groups/G0065), relying on similar tradecraft such as external service exploitation followed by extensive credential capture and re-use to enable privilege escalation and lateral movement. [Leviathan Australian Intrusions](https://attack.mitre.org/campaigns/C0049) were focused on exfiltrating sensitive data including valid credentials for the victim organizations.(Citation: CISA Leviathan 2024)
Start date
1 April 2022
End date
1 September 2022
Techniques
26
Attributed actors
Techniques (26)
collection3
T1056Input Capture
T1213.006Databases
T1074.001Local Data Staging
credential-access7
T1558.003Kerberoasting
T1552.001Credentials In Files
T1056Input Capture
T1111Multi-Factor Authentication Interception
T1212Exploitation for Credential Access
T1552Unsecured Credentials
T1528Steal Application Access Token
defense-impairment1
T1686Disable or Modify System Firewall
discovery5
T1018Remote System Discovery
T1135Network Share Discovery
T1482Domain Trust Discovery
T1082System Information Discovery
T1615Group Policy Discovery
exfiltration1
T1041Exfiltration Over C2 Channel
initial-access4
T1078Valid Accounts
T1078.002Domain Accounts
T1190Exploit Public-Facing Application
T1078.003Local Accounts
lateral-movement2
T1021.002SMB/Windows Admin Shares
T1021.004SSH
persistence4
T1078Valid Accounts
T1505.003Web Shell
T1078.002Domain Accounts
T1078.003Local Accounts
privilege-escalation4
T1078Valid Accounts
T1078.002Domain Accounts
T1068Exploitation for Privilege Escalation
T1078.003Local Accounts
reconnaissance1
T1594Search Victim-Owned Websites
resource-development1
T1588.006Vulnerabilities
stealth3
T1078Valid Accounts
T1078.002Domain Accounts
T1078.003Local Accounts
Indicators of compromise
No IOCs linked to this campaign yet.