Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

LAPSUS$

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)
ID: G1004
Associated Groups: DEV-0537
Version: 1.0
Created: 09 Jun 2022
Last Modified: 12 Oct 2022

Associated Group Descriptions

Name Description
DEV-0537 (Citation: MSTIC DEV-0537 Mar 2022)

Techniques Used

Domain ID Name Use
Enterprise T1087 .002 Account Discovery: Domain Account

LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1098 .003 Account Manipulation: Additional Cloud Roles

LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1583 .003 Acquire Infrastructure: Virtual Private Server

LAPSUS$ has used VPS hosting providers for infrastructure.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1136 .003 Create Account: Cloud Account

LAPSUS$ has created global admin accounts in the targeted organization's cloud instances to gain persistence.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1555 .003 Credentials from Password Stores: Credentials from Web Browsers

LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1213 .001 Data from Information Repositories: Confluence

LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)

.002 Data from Information Repositories: Sharepoint

LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)

.003 Data from Information Repositories: Code Repositories

LAPSUS$ has searched a victim's network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1114 .003 Email Collection: Email Forwarding Rule

LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1589 .001 Gather Victim Identity Information: Credentials

LAPSUS$ has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials.(Citation: MSTIC DEV-0537 Mar 2022)

.002 Gather Victim Identity Information: Email Addresses

LAPSUS$ has gathered employee email addresses, including personal accounts, for social engineering and initial access efforts.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1591 .002 Gather Victim Org Information: Business Relationships

LAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships.(Citation: MSTIC DEV-0537 Mar 2022)

.004 Gather Victim Org Information: Identify Roles

LAPSUS$ has gathered detailed knowledge of team structures within a target organization.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1578 .002 Modify Cloud Compute Infrastructure: Create Cloud Instance

LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.(Citation: MSTIC DEV-0537 Mar 2022)

.003 Modify Cloud Compute Infrastructure: Delete Cloud Instance

LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1003 .003 OS Credential Dumping: NTDS

LAPSUS$ has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database.(Citation: MSTIC DEV-0537 Mar 2022)

.006 OS Credential Dumping: DCSync

LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1588 .001 Obtain Capabilities: Malware

LAPSUS$ acquired and used the Redline password stealer in their operations.(Citation: MSTIC DEV-0537 Mar 2022)

.002 Obtain Capabilities: Tool

LAPSUS$ has obtained tools such as AD Explorer inspection software for their operations.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1069 .002 Permission Groups Discovery: Domain Groups

LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1597 .002 Search Closed Sources: Purchase Technical Data

LAPSUS$ has purchased credentials and session tokens from criminal underground forums.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1593 .003 Search Open Websites/Domains: Code Repositories

LAPSUS$ has searched public code repositories for exposed credentials.(Citation: MSTIC DEV-0537 Mar 2022)

Enterprise T1078 .004 Valid Accounts: Cloud Accounts

LAPSUS$ has used compromised credentials to access cloud assets within a target organization.(Citation: MSTIC DEV-0537 Mar 2022)