GitHub Repo

Analytics Story: Scattered Lapsus$ Hunters

Date: 2025-10-14 ID: be9e9520-48eb-4af2-8ff7-dd2dee2f5705 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Scattered Lapsus$ Hunters is a collaboration of three sophisticated threat actor groups (Scattered Spider, Lapsus$, and Shiny Hunters) known for devastating supply chain attacks, advanced social engineering, MFA bypass techniques, and credential theft. The group gained notoriety following their September 2025 attack on Jaguar Land Rover, causing three weeks of production shutdown and £50M+ weekly losses.

Why it matters

Scattered Lapsus$ Hunters represents a dangerous collaboration between Scattered Spider (UNC3944), Lapsus$, and Shiny Hunters - three threat actor groups that combine sophisticated social engineering expertise with advanced technical capabilities. Their September 2025 cyberattack on Jaguar Land Rover demonstrated the catastrophic potential of targeting critical supply chain infrastructure, resulting in a three-week production shutdown, tens of millions in weekly losses, and thousands of jobs at risk across the automotive supply chain. The group's attack methodology begins with sophisticated initial access through voice phishing (vishing), SMS phishing (smishing), and SIM swapping to compromise credentials and bypass multi-factor authentication. They employ advanced MFA bypass techniques including MFA fatigue attacks through repeated push notifications, SIM swapping to intercept SMS codes, and adversary-in-the-middle attacks on authentication flows. Once inside a network, they leverage legitimate remote management tools (AnyDesk, TeamViewer, ScreenConnect) to maintain persistence and evade detection, following a living-off-the-land approach that minimizes custom malware. For credential access, the group employs tools like Mimikatz for credential dumping, targets LSASS memory, extracts browser-stored credentials, and steals OAuth tokens and session cookies. They excel at lateral movement using RDP, Pass-the-Hash and Pass-the-Ticket techniques, and internal spearphishing. The group demonstrates deep understanding of cloud environments, targeting Azure AD, AWS, GCP, and O365 with techniques to disable MFA, create privileged accounts, assign administrative roles to service principals, and modify authentication policies. Data exfiltration occurs through cloud storage services (MEGA, Google Drive), file sharing platforms, and custom exfiltration channels. The impact phase includes stopping critical services, deploying ransomware, system shutdowns to maximize disruption, and data destruction. Previous notable attacks attributed to the constituent groups include Lapsus$ breaches of Microsoft, Nvidia, Okta, Samsung, and Ubisoft (2022), and Scattered Spider attacks on MGM Resorts and Caesars Entertainment (2023). The group targets telecommunications, retail, technology, manufacturing, and critical infrastructure sectors. Organizations should implement phishing-resistant MFA (FIDO2/WebAuthn), monitor RMM tool deployment, enable comprehensive logging, deploy EDR solutions, train employees on advanced social engineering tactics, segment critical production systems, and maintain offline backups of critical data. The detections in this analytic story cover the full attack lifecycle including MFA manipulation, unauthorized remote access software, credential theft, session hijacking, privilege escalation, defense evasion, data exfiltration, and production system disruption.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect New Login Attempts to Routers None TTP
Ivanti VTM New Account Creation Exploit Public-Facing Application TTP
Monitor Email For Brand Abuse None TTP
Okta Authentication Failed During MFA Challenge Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Okta MFA Exhaustion Hunt Brute Force Hunting
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation TTP
Okta Multi-Factor Authentication Disabled Multi-Factor Authentication TTP
Okta Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation Anomaly
Okta New API Token Created Default Accounts TTP
Okta New Device Enrolled on Account Device Registration TTP
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Anomaly
PingID New MFA Method After Credential Reset Multi-Factor Authentication Request Generation, Multi-Factor Authentication, Device Registration TTP
Abnormally High Number Of Cloud Infrastructure API Calls Cloud Accounts Anomaly
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
ASL AWS Create Access Key Cloud Account Hunting
ASL AWS Create Policy Version to allow all resources Cloud Accounts TTP
ASL AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
ASL AWS IAM Assume Role Policy Brute Force Cloud Infrastructure Discovery, Brute Force TTP
ASL AWS Network Access Control List Deleted Disable or Modify Cloud Firewall Anomaly
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
AWS Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Azure AD Application Administrator Role Assigned Additional Cloud Roles TTP
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Azure AD Global Administrator Role Assigned Additional Cloud Roles TTP
Azure AD Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts TTP
Azure AD New Federated Domain Added Trust Modification TTP
Azure AD New MFA Method Registered Device Registration TTP
Azure AD New MFA Method Registered For User Multi-Factor Authentication TTP
Azure AD PIM Role Assigned Additional Cloud Roles TTP
Azure AD PIM Role Assignment Activated Additional Cloud Roles TTP
Azure AD Privileged Authentication Administrator Role Assigned Security Account Manager TTP
Azure AD Privileged Role Assigned Additional Cloud Roles TTP
Azure AD Privileged Role Assigned to Service Principal Additional Cloud Roles TTP
Azure AD Service Principal New Client Credentials Additional Cloud Credentials TTP
Azure AD User Enabled And Password Reset Account Manipulation TTP
GCP Authentication Failed During MFA Challenge Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting
GCP Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts TTP
GCP Multiple Failed MFA Requests For User Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
GCP Successful Single-Factor Authentication Cloud Accounts, Cloud Accounts TTP
Gdrive suspicious file sharing Phishing Hunting
Gsuite Drive Share In External Email Exfiltration to Cloud Storage Anomaly
O365 Concurrent Sessions From Different Ips Browser Session Hijacking TTP
O365 Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation TTP
O365 Privileged Role Assigned Additional Cloud Roles TTP
O365 Privileged Role Assigned To Service Principal Additional Cloud Roles TTP
Access LSASS Memory for Dump Creation LSASS Memory TTP
AdsiSearcher Account Discovery Domain Account TTP
Cisco NVM - Rclone Execution With Network Activity Exfiltration to Cloud Storage Anomaly
Creation of lsass Dump with Taskmgr LSASS Memory TTP
Detect Credential Dumping through LSASS access LSASS Memory TTP
Detect Excessive User Account Lockouts Local Accounts Anomaly
Detect New Local Admin account Local Account TTP
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path TTP
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Detect Remote Access Software Usage FileInfo Remote Access Tools Anomaly
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Domain Group Discovery with Adsisearcher Domain Groups TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
GetAdGroup with PowerShell Script Block Domain Groups Hunting
Kerberos Service Ticket Request Using RC4 Encryption Golden Ticket TTP
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material TTP
Linux Auditd Find Credentials From Password Managers Password Managers TTP
Linux Auditd Find Credentials From Password Stores Password Managers TTP
Linux Auditd Hardware Addition Swapoff Hardware Additions Anomaly
Linux Hardware Addition SwapOff Hardware Additions Anomaly
Linux Impair Defenses Process Kill Disable or Modify Tools Hunting
Local Account Discovery With Wmic Local Account Hunting
Mimikatz PassTheTicket CommandLine Parameters Pass the Ticket TTP
Permission Modification using Takeown App File and Directory Permissions Modification Anomaly
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation Anomaly
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
PowerShell Start or Stop Service PowerShell Anomaly
Rubeus Command Line Parameters Pass the Ticket, Kerberoasting, AS-REP Roasting TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Pass the Ticket TTP
Suspicious Computer Account Name Change Domain Accounts TTP
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Windows AD DSRM Account Changes Account Manipulation TTP
Windows AD DSRM Password Reset Account Manipulation TTP
Windows Cisco Secure Endpoint Related Service Stopped Inhibit System Recovery Anomaly
Windows Create Local Account Local Account Anomaly
Windows Create Local Administrator Account Via Net Local Account Anomaly
Windows Credential Access From Browser Password Store Query Registry Anomaly
Windows Credential Dumping LSASS Memory Createdump LSASS Memory TTP
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers TTP
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Windows Credentials from Web Browsers Saved in TEMP Folder Credentials from Web Browsers TTP
Windows Disable or Stop Browser Process Disable or Modify Tools TTP
Windows Event Logging Service Has Shutdown Clear Windows Event Logs Hunting
Windows Hunting System Account Targeting Lsass LSASS Memory Hunting
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools TTP
Windows Impair Defense Disable Defender Firewall And Network Disable or Modify Tools TTP
Windows Impair Defense Disable Defender Protocol Recognition Disable or Modify Tools TTP
Windows Impair Defense Disable PUA Protection Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Network Protection Disable or Modify Tools TTP
Windows Impair Defense Disable Win Defender Signature Retirement Disable or Modify Tools TTP
Windows Impair Defenses Disable AV AutoStart via Registry Modify Registry TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows Local Administrator Credential Stuffing Credential Stuffing TTP
Windows LSA Secrets NoLMhash Registry LSA Secrets TTP
Windows Modify Registry Tamper Protection Modify Registry TTP
Windows Non-System Account Targeting Lsass LSASS Memory TTP
Windows Password Managers Discovery Password Managers Anomaly
Windows Possible Credential Dumping LSASS Memory TTP
Windows PowerShell Export PfxCertificate Private Keys, Steal or Forge Authentication Certificates Anomaly
Windows PowerShell FakeCAPTCHA Clipboard Execution PowerShell, Malicious Link, Windows Command Shell TTP
Windows Privileged Group Modification Local Account, Domain Account TTP
Windows RDP Login Session Was Established Remote Desktop Protocol Anomaly
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol TTP
Windows Security Account Manager Stopped Service Stop TTP
Windows Security And Backup Services Stop Inhibit System Recovery TTP
Windows Service Stop Attempt Service Stop Hunting
Windows SpeechRuntime COM Hijacking DLL Load Distributed Component Object Model TTP
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Windows System Reboot CommandLine System Shutdown/Reboot Anomaly
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows Terminating Lsass Process Disable or Modify Tools Anomaly
Cisco Secure Firewall - Connection to File Sharing Domain Web Protocols, External Proxy, Ingress Tool Transfer, Exfiltration to Cloud Storage, Tool Anomaly
Cisco Secure Firewall - Remote Access Software Usage Traffic Remote Access Tools Anomaly
Cisco Smart Install Port Discovery and Status Exploit Public-Facing Application TTP
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, ARP Cache Poisoning TTP
Detect Remote Access Software Usage DNS Remote Access Tools Anomaly
Detect Remote Access Software Usage Traffic Remote Access Tools Anomaly
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Adversary-in-the-Middle TTP
Internal Horizontal Port Scan Network Service Discovery TTP
Internal Horizontal Port Scan NMAP Top 20 Network Service Discovery TTP
Internal Vertical Port Scan Network Service Discovery TTP
Internal Vulnerability Scan Vulnerability Scanning, Network Service Discovery TTP
Protocols passing authentication in cleartext None Anomaly
Citrix ADC and Gateway Unauthorized Data Disclosure Exploit Public-Facing Application TTP
Detect Remote Access Software Usage URL Remote Access Tools Anomaly
Nginx ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
ASL AWS CloudTrail AWS icon AWS aws:asl aws_asl
AWS CloudTrail AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeactivateMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteVirtualMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DescribeEventAggregates AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail ModifyDBInstance AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudWatchLogs VPCflow AWS icon AWS aws:cloudwatchlogs:vpcflow aws_cloudwatchlogs_vpcflow
Azure Active Directory Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Add member to role Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Disable Strong Authentication Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Enable account Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Reset password (by admin) Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Set domain authentication Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Update user Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory User registered security info Azure icon Azure azure:monitor:aad Azure AD
Cisco IOS Logs N/A cisco:ios cisco:ios
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Cisco Secure Firewall Threat Defense Connection Event N/A cisco:sfw:estreamer not_applicable
CrowdStrike ProcessRollup2 N/A crowdstrike:events:sensor crowdstrike
G Suite Drive N/A gsuite:drive:json http:gsuite
Google Workspace N/A gws:reports:login google_workspace
Google Workspace login_failure N/A gws:reports:admin gws:reports:admin
Ivanti VTM Audit N/A ivanti_vtm_audit ivanti_vtm
Linux Auditd Execve Linux icon Linux auditd auditd
Nginx Access N/A nginx:plus:kv /var/log/nginx/access.log
O365 UserLoggedIn N/A o365:management:activity o365
O365 UserLoginFailed N/A o365:management:activity o365
Office 365 Universal Audit Log N/A o365:management:activity o365
Okta N/A OktaIM2:log Okta
Palo Alto Network Threat Network icon Network pan:threat pan:threat
Palo Alto Network Traffic Network icon Network pan:traffic screenconnect_palo_traffic
PingID N/A XmlWinEventLog XmlWinEventLog:Security
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Splunk Stream TCP Splunk icon Splunk stream:tcp stream:tcp
Suricata N/A suricata suricata
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 1100 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4624 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4625 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4720 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4727 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4731 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4744 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4749 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4754 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4759 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4768 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4769 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4781 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4783 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4790 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4794 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log System 7036 Windows icon Windows XmlWinEventLog XmlWinEventLog:System

References

Source: GitHub | Version: 1