CINXE.COM

LAPSUS$, DEV-0537, Strawberry Tempest, Group G1004 | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v15/theme/favicon.ico" type='image/x-icon'> <title>LAPSUS$, DEV-0537, Strawberry Tempest, Group G1004 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v15/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v15/"><img src="/versions/v15/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v15/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v15/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/groups">Groups</a> <a class="dropdown-item" href="/versions/v15/software">Software</a> <a class="dropdown-item" href="/versions/v15/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v15/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v15/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v15/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v15/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v15/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v15/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v15/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v15/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v15/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" target="_blank">ATT&CK v15.1</a> which was live between April 23, 2024 and October 30, 2024. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v15/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v15/groups/">Groups</a></li> <li class="breadcrumb-item">LAPSUS$</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> LAPSUS$ </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> is cyber criminal threat group that has been active since at least mid-2021. <a href="/versions/v15/groups/G1004">LAPSUS$</a> specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022."data-reference="BBC LAPSUS Apr 2022"><sup><a href="https://www.bbc.com/news/technology-60953527" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022."data-reference="UNIT 42 LAPSUS Mar 2022"><sup><a href="https://unit42.paloaltonetworks.com/lapsus-group/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>G1004 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a group entry and may refer to the same or similar group in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Groups</span>: DEV-0537, Strawberry Tempest </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: David Hughes, BT Security; Matt Brenton, Zurich Insurance Group; Flavio Costa, Cisco; Caio Silva </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 2.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>09 June 2022 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>11 January 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G1004" href="/versions/v15/groups/G1004/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G1004" href="/groups/G1004/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="aliasDescription">Associated Group Descriptions</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> DEV-0537 </td> <td> <p><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr> <td> Strawberry Tempest </td> <td> <p><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023."data-reference="Microsoft Threat Actor Naming July 2023"><sup><a href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK<sup>&reg;</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v15/groups/G1004/G1004-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v15/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v15/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G1004/G1004-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1531">T1531</a> </td> <td> <a href="/versions/v15/techniques/T1531">Account Access Removal</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has removed a targeted organization's global admin accounts to lock the organization out of all access.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1087">T1087</a> </td> <td> <a href="/versions/v15/techniques/T1087/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1087">Account Discovery</a>: <a href="/versions/v15/techniques/T1087/002">Domain Account</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has used the AD Explorer tool to enumerate users on a victim's network.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1098">T1098</a> </td> <td> <a href="/versions/v15/techniques/T1098/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1098">Account Manipulation</a>: <a href="/versions/v15/techniques/T1098/003">Additional Cloud Roles</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has added the global admin role to accounts they have created in the targeted organization's cloud instances.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1583">T1583</a> </td> <td> <a href="/versions/v15/techniques/T1583/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1583">Acquire Infrastructure</a>: <a href="/versions/v15/techniques/T1583/003">Virtual Private Server</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has used VPS hosting providers for infrastructure.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1586">T1586</a> </td> <td> <a href="/versions/v15/techniques/T1586/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1586">Compromise Accounts</a>: <a href="/versions/v15/techniques/T1586/002">Email Accounts</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has payed employees, suppliers, and business partners of target organizations for credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1584">T1584</a> </td> <td> <a href="/versions/v15/techniques/T1584/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1584">Compromise Infrastructure</a>: <a href="/versions/v15/techniques/T1584/002">DNS Server</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has reconfigured a victim's DNS records to actor-controlled domains and websites.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1136">T1136</a> </td> <td> <a href="/versions/v15/techniques/T1136/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1136">Create Account</a>: <a href="/versions/v15/techniques/T1136/003">Cloud Account</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has created global admin accounts in the targeted organization's cloud instances to gain persistence.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1555">T1555</a> </td> <td> <a href="/versions/v15/techniques/T1555/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v15/techniques/T1555/003">Credentials from Web Browsers</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has obtained passwords and session tokens with the use of the Redline password stealer.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1555/005">.005</a> </td> <td> <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v15/techniques/T1555/005">Password Managers</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has accessed local password managers and databases to obtain further credentials from a compromised network.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1485">T1485</a> </td> <td> <a href="/versions/v15/techniques/T1485">Data Destruction</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has deleted the target's systems and resources both on-premises and in the cloud.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1213">T1213</a> </td> <td> <a href="/versions/v15/techniques/T1213">Data from Information Repositories</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has searched a victim's network for organization collaboration channels like MS Teams or Slack to discover further high-privilege account credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1213/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1213/001">Confluence</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has searched a victim's network for collaboration platforms like Confluence and JIRA to discover further high-privilege account credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1213/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1213/002">Sharepoint</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has searched a victim's network for collaboration platforms like SharePoint to discover further high-privilege account credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1213/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1213/003">Code Repositories</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has searched a victim's network for code repositories like GitLab and GitHub to discover further high-privilege account credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1005">T1005</a> </td> <td> <a href="/versions/v15/techniques/T1005">Data from Local System</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> uploaded sensitive files, information, and credentials from a targeted organization for extortion or public release.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1114">T1114</a> </td> <td> <a href="/versions/v15/techniques/T1114/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1114">Email Collection</a>: <a href="/versions/v15/techniques/T1114/003">Email Forwarding Rule</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has set an Office 365 tenant level mail transport rule to send all mail in and out of the targeted organization to the newly created account.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1068">T1068</a> </td> <td> <a href="/versions/v15/techniques/T1068">Exploitation for Privilege Escalation</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has exploited unpatched vulnerabilities on internally accessible servers including JIRA, GitLab, and Confluence for privilege escalation.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1133">T1133</a> </td> <td> <a href="/versions/v15/techniques/T1133">External Remote Services</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has gained access to internet-facing systems and applications, including virtual private network (VPN), remote desktop protocol (RDP), and virtual desktop infrastructure (VDI) including Citrix. <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1589">T1589</a> </td> <td> <a href="/versions/v15/techniques/T1589">Gather Victim Identity Information</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has gathered detailed information of target employees to enhance their social engineering lures.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1589/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1589/001">Credentials</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has gathered user identities and credentials to gain initial access to a victim's organization; the group has also called an organization's help desk to reset a target's credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1589/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1589/002">Email Addresses</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has gathered employee email addresses, including personal accounts, for social engineering and initial access efforts.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1591">T1591</a> </td> <td> <a href="/versions/v15/techniques/T1591/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1591">Gather Victim Org Information</a>: <a href="/versions/v15/techniques/T1591/002">Business Relationships</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has gathered detailed knowledge of an organization's supply chain relationships.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1591/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1591">Gather Victim Org Information</a>: <a href="/versions/v15/techniques/T1591/004">Identify Roles</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has gathered detailed knowledge of team structures within a target organization.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1656">T1656</a> </td> <td> <a href="/versions/v15/techniques/T1656">Impersonation</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has called victims' help desk and impersonated legitimate users with previously gathered information in order to gain access to privileged accounts.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1578">T1578</a> </td> <td> <a href="/versions/v15/techniques/T1578/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1578">Modify Cloud Compute Infrastructure</a>: <a href="/versions/v15/techniques/T1578/002">Create Cloud Instance</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has created new virtual machines within the target's cloud environment after leveraging credential access to cloud assets.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1578/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1578">Modify Cloud Compute Infrastructure</a>: <a href="/versions/v15/techniques/T1578/003">Delete Cloud Instance</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has deleted the target's systems and resources in the cloud to trigger the organization's incident and crisis response process.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1111">T1111</a> </td> <td> <a href="/versions/v15/techniques/T1111">Multi-Factor Authentication Interception</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has replayed stolen session token and passwords to trigger simple-approval MFA prompts in hope of the legitimate user will grant necessary approval.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1621">T1621</a> </td> <td> <a href="/versions/v15/techniques/T1621">Multi-Factor Authentication Request Generation</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has spammed target users with MFA prompts in the hope that the legitimate user will grant necessary approval.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1588">T1588</a> </td> <td> <a href="/versions/v15/techniques/T1588/001">.001</a> </td> <td> <a href="/versions/v15/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v15/techniques/T1588/001">Malware</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> acquired and used the Redline password stealer in their operations.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1588/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1588">Obtain Capabilities</a>: <a href="/versions/v15/techniques/T1588/002">Tool</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has obtained tools such as RVTools and AD Explorer for their operations.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1003">T1003</a> </td> <td> <a href="/versions/v15/techniques/T1003/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/003">NTDS</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has used Windows built-in tool <code>ntdsutil</code> to extract the Active Directory (AD) database.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1003/006">.006</a> </td> <td> <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/006">DCSync</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has used DCSync attacks to gather credentials for privilege escalation routines.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1069">T1069</a> </td> <td> <a href="/versions/v15/techniques/T1069/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v15/techniques/T1069/002">Domain Groups</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has used the AD Explorer tool to enumerate groups on a victim's network.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1598">T1598</a> </td> <td> <a href="/versions/v15/techniques/T1598/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1598">Phishing for Information</a>: <a href="/versions/v15/techniques/T1598/004">Spearphishing Voice</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has called victims' help desk to convince the support personnel to reset a privileged account鈥檚 credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1090">T1090</a> </td> <td> <a href="/versions/v15/techniques/T1090">Proxy</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has leverage NordVPN for its egress points when targeting intended victims.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1597">T1597</a> </td> <td> <a href="/versions/v15/techniques/T1597/002">.002</a> </td> <td> <a href="/versions/v15/techniques/T1597">Search Closed Sources</a>: <a href="/versions/v15/techniques/T1597/002">Purchase Technical Data</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has purchased credentials and session tokens from criminal underground forums.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1593">T1593</a> </td> <td> <a href="/versions/v15/techniques/T1593/003">.003</a> </td> <td> <a href="/versions/v15/techniques/T1593">Search Open Websites/Domains</a>: <a href="/versions/v15/techniques/T1593/003">Code Repositories</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has searched public code repositories for exposed credentials.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1489">T1489</a> </td> <td> <a href="/versions/v15/techniques/T1489">Service Stop</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has shut down virtual machines from within a victim's on-premise VMware ESXi infrastructure.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1199">T1199</a> </td> <td> <a href="/versions/v15/techniques/T1199">Trusted Relationship</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has accessed internet-facing identity providers such as Azure Active Directory and Okta to target specific organizations.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v15/techniques/T1552">T1552</a> </td> <td> <a href="/versions/v15/techniques/T1552/008">.008</a> </td> <td> <a href="/versions/v15/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v15/techniques/T1552/008">Chat Messages</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has targeted various collaboration tools like Slack, Teams, JIRA, Confluence, and others to hunt for exposed credentials to support privilege escalation and lateral movement.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1204">T1204</a> </td> <td> <a href="/versions/v15/techniques/T1204">User Execution</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has recruited target organization employees or contractors who provide credentials and approve an associated MFA prompt, or install remote management software onto a corporate workstation, allowing <a href="/versions/v15/groups/G1004">LAPSUS$</a> to take control of an authenticated system.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v15/techniques/T1078">T1078</a> </td> <td> <a href="/versions/v15/techniques/T1078">Valid Accounts</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has used compromised credentials and/or session tokens to gain access into a victim's VPN, VDI, RDP, and IAMs.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022."data-reference="NCC Group LAPSUS Apr 2022"><sup><a href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v15/techniques/T1078/004">.004</a> </td> <td> <a href="/versions/v15/techniques/T1078/004">Cloud Accounts</a> </td> <td> <p><a href="/versions/v15/groups/G1004">LAPSUS$</a> has used compromised credentials to access cloud assets within a target organization.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/software/S0002">S0002</a> </td> <td> <a href="/versions/v15/software/S0002">Mimikatz</a> </td> <td> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022."data-reference="MSTIC DEV-0537 Mar 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> </td> <td> <a href="/versions/v15/techniques/T1134">Access Token Manipulation</a>: <a href="/versions/v15/techniques/T1134/005">SID-History Injection</a>, <a href="/versions/v15/techniques/T1098">Account Manipulation</a>, <a href="/versions/v15/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/versions/v15/techniques/T1547/005">Security Support Provider</a>, <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>, <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v15/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/versions/v15/techniques/T1555">Credentials from Password Stores</a>: <a href="/versions/v15/techniques/T1555/004">Windows Credential Manager</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/006">DCSync</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/002">Security Account Manager</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/001">LSASS Memory</a>, <a href="/versions/v15/techniques/T1003">OS Credential Dumping</a>: <a href="/versions/v15/techniques/T1003/004">LSA Secrets</a>, <a href="/versions/v15/techniques/T1207">Rogue Domain Controller</a>, <a href="/versions/v15/techniques/T1649">Steal or Forge Authentication Certificates</a>, <a href="/versions/v15/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v15/techniques/T1558/001">Golden Ticket</a>, <a href="/versions/v15/techniques/T1558">Steal or Forge Kerberos Tickets</a>: <a href="/versions/v15/techniques/T1558/002">Silver Ticket</a>, <a href="/versions/v15/techniques/T1552">Unsecured Credentials</a>: <a href="/versions/v15/techniques/T1552/004">Private Keys</a>, <a href="/versions/v15/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v15/techniques/T1550/002">Pass the Hash</a>, <a href="/versions/v15/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/versions/v15/techniques/T1550/003">Pass the Ticket</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.bbc.com/news/technology-60953527" target="_blank"> BBC. (2022, April 1). LAPSUS: Two UK Teenagers Charged with Hacking for Gang. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.microsoft.com/security/blog/2022/03/22/dev-0537-criminal-actor-targeting-organizations-for-data-exfiltration-and-destruction/" target="_blank"> MSTIC, DART, M365 Defender. (2022, March 24). DEV-0537 Criminal Actor Targeting Organizations for Data Exfiltration and Destruction. Retrieved May 17, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://unit42.paloaltonetworks.com/lapsus-group/" target="_blank"> UNIT 42. (2022, March 24). Threat Brief: Lapsus$ Group. Retrieved May 17, 2022. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="4.0"> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide" target="_blank"> Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://research.nccgroup.com/2022/04/28/lapsus-recent-techniques-tactics-and-procedures/" target="_blank"> Brown, D., et al. (2022, April 28). LAPSUS$: Recent techniques, tactics and procedures. Retrieved December 22, 2022. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v15/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v15/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v15.1&#013;Website v4.1.6">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v15/theme/scripts/popper.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v15/theme/scripts/site.js?8431"></script> <script src="/versions/v15/theme/scripts/settings.js?7646"></script> <script src="/versions/v15/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/sidebar-load-all.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v15/theme/scripts/settings.js"></script> <script src="/versions/v15/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10