LAPSUS$

LAPSUS$DEV-0537Strawberry Tempest

[LAPSUS$](https://attack.mitre.org/groups/G1004) is cyber criminal threat group that has been active since at least mid-2021. [LAPSUS$](https://attack.mitre.org/groups/G1004) specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)

Techniques

Covered

Gaps

79%

Coverage

Coverage34/43

GAPS (9)

T1213.001Confluence T1213.005Messaging Applications T1552.008Chat Messages T1583.003Virtual Private Server T1584.002DNS Server T1586.002Email Accounts T1591.002Business Relationships T1597.002Purchase Technical Data T1598.004Spearphishing Voice

COVERED (34)

T1003.003NTDS34 det.T1003.006DCSync14 det.T1005Data from Local System46 det.T1068Exploitation for Privilege Escalation91 det.T1069.002Domain Groups42 det.T1078Valid Accounts252 det.T1078.004Cloud Accounts149 det.T1087.002Domain Account55 det.T1090Proxy44 det.T1098.003Additional Cloud Roles53 det.T1111Multi-Factor Authentication Interception1 det.T1114.003Email Forwarding Rule10 det.T1133External Remote Services72 det.T1136.003Cloud Account30 det.T1199Trusted Relationship6 det.T1204User Execution84 det.T1213.002Sharepoint4 det.T1213.003Code Repositories9 det.T1485Data Destruction90 det.T1489Service Stop54 det.T1531Account Access Removal27 det.T1555.003Credentials from Web Browsers15 det.T1555.005Password Managers4 det.T1578.002Create Cloud Instance2 det.T1578.003Delete Cloud Instance1 det.T1588.001Malware2 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1589.001Credentials2 det.T1589.002Email Addresses2 det.T1591.004Identify Roles2 det.T1593.003Code Repositories2 det.T1621Multi-Factor Authentication Request Generation23 det.T1656Impersonation172 det.