G1004 · 43 ATT&CK techniques · 0 correlated reports

LAPSUS$

Aliases: DEV-0537, Strawberry Tempest

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.

Open interactive actor investigation

ATT&CK techniques

T1589
Gather Victim Identity Information T1005
Data from Local System T1069.002
Domain Groups T1213.001
Confluence T1588.002
Tool T1485
Data Destruction T1213.003
Code Repositories T1213.002
Sharepoint T1583.003
Virtual Private Server T1591.004
Identify Roles T1090
Proxy T1087.002
Domain Account T1133
External Remote Services T1078
Valid Accounts T1656
Impersonation T1588.001
Malware T1598.004
Spearphishing Voice T1204
User Execution T1552.008
Chat Messages T1489
Service Stop T1593.003
Code Repositories T1136.003
Cloud Account T1114.003
Email Forwarding Rule T1591.002
Business Relationships T1578.003
Delete Cloud Instance T1555.003
Credentials from Web Browsers T1531
Account Access Removal T1589.001
Credentials T1068
Exploitation for Privilege Escalation T1621
Multi-Factor Authentication Request Generation T1098.003
Additional Cloud Roles T1003.006
DCSync T1586.002
Email Accounts T1213.005
Messaging Applications T1589.002
Email Addresses T1584.002
DNS Server T1003.003
NTDS T1555.005
Password Managers T1199
Trusted Relationship T1597.002
Purchase Technical Data T1578.002
Create Cloud Instance T1078.004
Cloud Accounts T1111
Multi-Factor Authentication Interception

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research