LAPSUS$
Associated Group Descriptions |
|
Name | Description |
---|---|
Strawberry Tempest | (Citation: Microsoft Threat Actor Naming July 2023) |
DEV-0537 | (Citation: MSTIC DEV-0537 Mar 2022) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
LAPSUS$ has used the AD Explorer tool to enumerate users on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022)(Citation: NCC Group LAPSUS Apr 2022) |
Enterprise | T1098 | .003 | Account Manipulation: Additional Cloud Roles |
LAPSUS$ has added the global admin role to accounts they have created in the targeted organization's cloud instances.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1583 | .003 | Acquire Infrastructure: Virtual Private Server |
LAPSUS$ has used VPS hosting providers for infrastructure.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1586 | .002 | Compromise Accounts: Email Accounts |
LAPSUS$ has payed employees, suppliers, and business partners of target organizations for credentials.(Citation: MSTIC DEV-0537 Mar 2022)(Citation: NCC Group LAPSUS Apr 2022) |
Enterprise | T1584 | .002 | Compromise Infrastructure: DNS Server |
LAPSUS$ has reconfigured a victim's DNS records to actor-controlled domains and websites.(Citation: NCC Group LAPSUS Apr 2022) |
Enterprise | T1136 | .003 | Create Account: Cloud Account |
LAPSUS$ has created global admin accounts in the targeted organization's cloud instances to gain persistence.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1555 | .003 | Credentials from Password Stores: Credentials from Web Browsers |
LAPSUS$ has obtained passwords and session tokens with the use of the Redline password stealer.(Citation: MSTIC DEV-0537 Mar 2022) |
.005 | Credentials from Password Stores: Password Managers |
LAPSUS$ has accessed local password managers and databases to obtain further credentials from a compromised network.(Citation: NCC Group LAPSUS Apr 2022) |
||
Enterprise | T1213 | .001 | Data from Information Repositories: Confluence |
LAPSUS$ has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022) |
.002 | Data from Information Repositories: Sharepoint |
LAPSUS$ has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)(Citation: NCC Group LAPSUS Apr 2022) |
||
.003 | Data from Information Repositories: Code Repositories |
LAPSUS$ has searched a victim's network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022)(Citation: NCC Group LAPSUS Apr 2022) |
||
.005 | Data from Information Repositories: Messaging Applications |
LAPSUS$ has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.(Citation: MSTIC DEV-0537 Mar 2022) |
||
Enterprise | T1114 | .003 | Email Collection: Email Forwarding Rule |
LAPSUS$ has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1589 | .001 | Gather Victim Identity Information: Credentials |
LAPSUS$ has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials.(Citation: MSTIC DEV-0537 Mar 2022)(Citation: NCC Group LAPSUS Apr 2022) |
.002 | Gather Victim Identity Information: Email Addresses |
LAPSUS$ has gathered employee email addresses, including personal accounts, for social engineering and initial access efforts.(Citation: MSTIC DEV-0537 Mar 2022) |
||
Enterprise | T1591 | .002 | Gather Victim Org Information: Business Relationships |
LAPSUS$ has gathered detailed knowledge of an organization's supply chain relationships.(Citation: MSTIC DEV-0537 Mar 2022) |
.004 | Gather Victim Org Information: Identify Roles |
LAPSUS$ has gathered detailed knowledge of team structures within a target organization.(Citation: MSTIC DEV-0537 Mar 2022) |
||
Enterprise | T1578 | .002 | Modify Cloud Compute Infrastructure: Create Cloud Instance |
LAPSUS$ has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.(Citation: MSTIC DEV-0537 Mar 2022) |
.003 | Modify Cloud Compute Infrastructure: Delete Cloud Instance |
LAPSUS$ has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.(Citation: MSTIC DEV-0537 Mar 2022) |
||
Enterprise | T1003 | .003 | OS Credential Dumping: NTDS |
LAPSUS$ has used Windows built-in tool `ntdsutil` to extract the Active Directory (AD) database.(Citation: MSTIC DEV-0537 Mar 2022) |
.006 | OS Credential Dumping: DCSync |
LAPSUS$ has used DCSync attacks to gather credentials for privilege escalation routines.(Citation: MSTIC DEV-0537 Mar 2022) |
||
Enterprise | T1588 | .001 | Obtain Capabilities: Malware |
LAPSUS$ acquired and used the Redline password stealer in their operations.(Citation: MSTIC DEV-0537 Mar 2022) |
.002 | Obtain Capabilities: Tool |
LAPSUS$ has obtained tools such as RVTools and AD Explorer for their operations.(Citation: MSTIC DEV-0537 Mar 2022)(Citation: NCC Group LAPSUS Apr 2022) |
||
Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
LAPSUS$ has used the AD Explorer tool to enumerate groups on a victim's network.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1598 | .004 | Phishing for Information: Spearphishing Voice |
LAPSUS$ has called victims' help desk to convince the support personnel to reset a privileged account’s credentials.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1597 | .002 | Search Closed Sources: Purchase Technical Data |
LAPSUS$ has purchased credentials and session tokens from criminal underground forums.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1593 | .003 | Search Open Websites/Domains: Code Repositories |
LAPSUS$ has searched public code repositories for exposed credentials.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1552 | .008 | Unsecured Credentials: Chat Messages |
LAPSUS$ has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.(Citation: MSTIC DEV-0537 Mar 2022) |
Enterprise | T1078 | .004 | Valid Accounts: Cloud Accounts |
LAPSUS$ has used compromised credentials to access cloud assets within a target organization.(Citation: MSTIC DEV-0537 Mar 2022) |
Software |
|||
ID | Name | References | Techniques |
---|---|---|---|
S0002 | Mimikatz | (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: MSTIC DEV-0537 Mar 2022) | DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets |
References
- MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022.
- Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022.
- BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022.
- Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
- UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.