GitHub Repo

Analytics Story: Scattered Lapsus$ Hunters

Updated Date: 2026-05-13 ID: be9e9520-48eb-4af2-8ff7-dd2dee2f5705 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Scattered Lapsus$ Hunters is a collaboration of three sophisticated threat actor groups (Scattered Spider, Lapsus$, and Shiny Hunters) known for devastating supply chain attacks, advanced social engineering, MFA bypass techniques, and credential theft. The group gained notoriety following their September 2025 attack on Jaguar Land Rover, causing three weeks of production shutdown and £50M+ weekly losses.

Why it matters

Scattered Lapsus$ Hunters represents a dangerous collaboration between Scattered Spider (UNC3944), Lapsus$, and Shiny Hunters - three threat actor groups that combine sophisticated social engineering expertise with advanced technical capabilities. Their September 2025 cyberattack on Jaguar Land Rover demonstrated the catastrophic potential of targeting critical supply chain infrastructure, resulting in a three-week production shutdown, tens of millions in weekly losses, and thousands of jobs at risk across the automotive supply chain. The group's attack methodology begins with sophisticated initial access through voice phishing (vishing), SMS phishing (smishing), and SIM swapping to compromise credentials and bypass multi-factor authentication. They employ advanced MFA bypass techniques including MFA fatigue attacks through repeated push notifications, SIM swapping to intercept SMS codes, and adversary-in-the-middle attacks on authentication flows. Once inside a network, they leverage legitimate remote management tools (AnyDesk, TeamViewer, ScreenConnect) to maintain persistence and evade detection, following a living-off-the-land approach that minimizes custom malware. For credential access, the group employs tools like Mimikatz for credential dumping, targets LSASS memory, extracts browser-stored credentials, and steals OAuth tokens and session cookies. They excel at lateral movement using RDP, Pass-the-Hash and Pass-the-Ticket techniques, and internal spearphishing. The group demonstrates deep understanding of cloud environments, targeting Azure AD, AWS, GCP, and O365 with techniques to disable MFA, create privileged accounts, assign administrative roles to service principals, and modify authentication policies. Data exfiltration occurs through cloud storage services (MEGA, Google Drive), file sharing platforms, and custom exfiltration channels. The impact phase includes stopping critical services, deploying ransomware, system shutdowns to maximize disruption, and data destruction. Previous notable attacks attributed to the constituent groups include Lapsus$ breaches of Microsoft, Nvidia, Okta, Samsung, and Ubisoft (2022), and Scattered Spider attacks on MGM Resorts and Caesars Entertainment (2023). The group targets telecommunications, retail, technology, manufacturing, and critical infrastructure sectors. Organizations should implement phishing-resistant MFA (FIDO2/WebAuthn), monitor RMM tool deployment, enable comprehensive logging, deploy EDR solutions, train employees on advanced social engineering tactics, segment critical production systems, and maintain offline backups of critical data. The detections in this analytic story cover the full attack lifecycle including MFA manipulation, unauthorized remote access software, credential theft, session hijacking, privilege escalation, defense evasion, data exfiltration, and production system disruption.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Ivanti VTM New Account Creation Exploit Public-Facing Application TTP
ASL AWS Create Policy Version to allow all resources Cloud Accounts TTP
GCP Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts TTP
Azure AD Privileged Role Assigned to Service Principal Additional Cloud Roles TTP
Suspicious Computer Account Name Change Domain Accounts TTP
ASL AWS Network Access Control List Deleted Cloud Firewall Anomaly
Windows Privileged Group Modification Local Account, Domain Account TTP
Internal Horizontal Port Scan Network Service Discovery TTP
Protocols passing authentication in cleartext None Anomaly
Windows Impair Defense Disable PUA Protection Disable or Modify Tools TTP
Gdrive suspicious file sharing Phishing Hunting
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Detect Remote Access Software Usage DNS Remote Access Tools Anomaly
Detect Remote Access Software Usage URL Remote Access Tools Anomaly
Windows PowerShell Export PfxCertificate Private Keys, Steal or Forge Authentication Certificates Anomaly
Linux Impair Defenses Process Kill Disable or Modify Tools Hunting
Azure AD Application Administrator Role Assigned Additional Cloud Roles TTP
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Rubeus Kerberos Ticket Exports Through Winlogon Access Pass the Ticket TTP
Windows Modify Registry Tamper Protection Modify Registry TTP
Azure AD Service Principal New Client Credentials Additional Cloud Credentials TTP
Windows Terminating Lsass Process Disable or Modify Tools Anomaly
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Windows Service Stop Attempt Service Stop Hunting
Azure AD New MFA Method Registered For User Multi-Factor Authentication TTP
Okta MFA Exhaustion Hunt Brute Force Hunting
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation Anomaly
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Okta Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation Anomaly
GCP Multiple Failed MFA Requests For User Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Cisco Smart Install Port Discovery and Status Exploit Public-Facing Application TTP
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material TTP
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows Local Administrator Credential Stuffing Credential Stuffing TTP
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, ARP Cache Poisoning TTP
Rubeus Command Line Parameters Pass the Ticket, Kerberoasting, AS-REP Roasting TTP
Windows AD DSRM Account Changes Account Manipulation TTP
Azure AD Global Administrator Role Assigned Additional Cloud Roles TTP
Windows System Reboot CommandLine System Shutdown/Reboot Hunting
Windows Create Local Account Local Account Anomaly
Azure AD New Federated Domain Added Trust Modification TTP
Windows Impair Defense Disable Defender Firewall And Network Disable or Modify Tools TTP
Azure AD Privileged Authentication Administrator Role Assigned Security Account Manager TTP
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol TTP
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
Nginx ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
Windows Possible Credential Dumping LSASS Memory TTP
Windows RDP Login Session Was Established Remote Desktop Protocol Anomaly
O365 Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Citrix ADC and Gateway Unauthorized Data Disclosure Exploit Public-Facing Application TTP
AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Azure AD PIM Role Assignment Activated Additional Cloud Roles TTP
Windows Create Local Administrator Account Via Net Local Account Anomaly
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Detect New Login Attempts to Routers None TTP
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Adversary-in-the-Middle TTP
Okta New Device Enrolled on Account Device Registration TTP
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools TTP
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers TTP
Windows Impair Defense Disable Defender Protocol Recognition Disable or Modify Tools TTP
O365 Privileged Role Assigned To Service Principal Additional Cloud Roles TTP
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
Domain Group Discovery with Adsisearcher Domain Groups TTP
Windows Credential Dumping LSASS Memory Createdump LSASS Memory TTP
Detect New Local Admin account Local Account TTP
Windows Event Logging Service Has Shutdown Clear Windows Event Logs Hunting
GetAdGroup with PowerShell Script Block Domain Groups Hunting
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path TTP
Gsuite Drive Share In External Email Exfiltration to Cloud Storage Anomaly
Linux Auditd Hardware Addition Swapoff Hardware Additions Anomaly
Windows Cisco Secure Endpoint Related Service Stopped Inhibit System Recovery Anomaly
Windows RMM Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Azure AD Privileged Role Assigned Additional Cloud Roles TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Detect Remote Access Software Usage Traffic Remote Access Tools Anomaly
Cisco NVM - Rclone Execution With Network Activity Exfiltration to Cloud Storage Anomaly
Internal Horizontal Port Scan NMAP Top 20 Network Service Discovery TTP
GCP Authentication Failed During MFA Challenge Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Detect Credential Dumping through LSASS access LSASS Memory TTP
Internal Vulnerability Scan Network Service Discovery, Vulnerability Scanning TTP
Azure AD PIM Role Assigned Additional Cloud Roles TTP
Detect Excessive User Account Lockouts Local Accounts Anomaly
PingID New MFA Method After Credential Reset Device Registration, Multi-Factor Authentication, Multi-Factor Authentication Request Generation TTP
O365 Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation TTP
Windows Hunting System Account Targeting Lsass LSASS Memory Hunting
GCP Successful Single-Factor Authentication Cloud Accounts, Cloud Accounts TTP
Cisco Secure Firewall - Remote Access Software Usage Traffic Remote Access Tools Anomaly
Linux Auditd Find Credentials From Password Managers Password Managers TTP
Permission Modification using Takeown App File and Directory Permissions Modification Anomaly
Okta Multi-Factor Authentication Disabled Multi-Factor Authentication TTP
Creation of lsass Dump with Taskmgr LSASS Memory TTP
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
Linux Auditd Find Credentials From Password Stores Password Managers TTP
Windows Disable or Stop Browser Process Disable or Modify Tools TTP
O365 Privileged Role Assigned Additional Cloud Roles TTP
Monitor Email For Brand Abuse None TTP
Detect Remote Access Software Usage FileInfo Remote Access Tools Anomaly
ASL AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
ASL AWS IAM Assume Role Policy Brute Force Brute Force, Cloud Infrastructure Discovery TTP
Windows Credential Access From Browser Password Store Query Registry Anomaly
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Anomaly
Windows AD DSRM Password Reset Account Manipulation TTP
Windows SpeechRuntime COM Hijacking DLL Load Distributed Component Object Model TTP
Azure AD New MFA Method Registered Device Registration TTP
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Azure AD Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts TTP
ASL AWS Create Access Key Cloud Account Hunting
Windows Impair Defense Disable Win Defender Signature Retirement Disable or Modify Tools TTP
Linux Hardware Addition SwapOff Hardware Additions Anomaly
AdsiSearcher Account Discovery Domain Account TTP
Access LSASS Memory for Dump Creation LSASS Memory TTP
Okta New API Token Created Default Accounts TTP
Okta Authentication Failed During MFA Challenge Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Windows Password Managers Discovery Password Managers Anomaly
Windows Impair Defense Disable Win Defender Network Protection Disable or Modify Tools TTP
Windows LSA Secrets NoLMhash Registry LSA Secrets TTP
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting
Local Account Discovery With Wmic Local Account Hunting
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Windows PowerShell FakeCAPTCHA Clipboard Execution PowerShell, Windows Command Shell, Malicious Link TTP
Windows Impair Defenses Disable AV AutoStart via Registry Modify Registry TTP
Mimikatz PassTheTicket CommandLine Parameters Pass the Ticket TTP
Windows Security Account Manager Stopped Service Stop TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
AWS Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Kerberos Service Ticket Request Using RC4 Encryption Golden Ticket TTP
Azure AD User Enabled And Password Reset Account Manipulation TTP
Cisco Secure Firewall - Connection to File Sharing Domain Web Protocols, External Proxy, Ingress Tool Transfer, Exfiltration to Cloud Storage, Tool Anomaly
Windows Non-System Account Targeting Lsass LSASS Memory TTP
Internal Vertical Port Scan Network Service Discovery TTP
Windows Security And Backup Services Stop Inhibit System Recovery TTP
Windows Credentials from Web Browsers Saved in TEMP Folder Credentials from Web Browsers TTP
PowerShell Start or Stop Service PowerShell Anomaly
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
Ivanti VTM Audit Other ivanti_vtm_audit ivanti_vtm
ASL AWS CloudTrail AWS icon AWS aws:asl aws_asl
Google Workspace Other gws:reports:login google_workspace
Azure Active Directory Add member to role Azure icon Azure azure:monitor:aad Azure AD
Windows Event Log Security 4781 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4727 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4759 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4756 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4744 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4731 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4749 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4790 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4754 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4783 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
AWS CloudWatchLogs VPCflow AWS icon AWS aws:cloudwatchlogs:vpcflow aws_cloudwatchlogs_vpcflow
Cisco Secure Firewall Threat Defense Connection Event Other cisco:sfw:estreamer not_applicable
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Palo Alto Network Threat Network icon Network pan:threat not_applicable
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Azure Active Directory Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory User registered security info Azure icon Azure azure:monitor:aad Azure AD
Okta Other OktaIM2:log Okta
Windows Event Log Security 4769 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Splunk Stream TCP Splunk icon Splunk stream:tcp stream:tcp
Windows Event Log Security 4768 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4624 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4625 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco IOS Logs Other cisco:ios cisco:ios
Windows Event Log Security 4720 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Azure Active Directory Set domain authentication Azure icon Azure azure:monitor:aad Azure AD
Nginx Access Other nginx:plus:kv /var/log/nginx/access.log
O365 UserLoggedIn Other o365:management:activity o365
Suricata Other suricata not_applicable
AWS CloudTrail ModifyDBInstance AWS icon AWS aws:cloudtrail aws_cloudtrail
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Office 365 Universal Audit Log Other o365:management:activity o365
Windows Event Log Security 4732 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 1100 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
G Suite Drive Other gsuite:drive:json http:gsuite
Linux Auditd Execve Linux icon Linux auditd auditd
Windows Event Log System 7036 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Palo Alto Network Traffic Network icon Network pan:traffic not_applicable
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
Google Workspace login_failure Other gws:reports:admin gws:reports:admin
PingID Other XmlWinEventLog XmlWinEventLog:Security
O365 UserLoginFailed Other o365:management:activity o365
Windows Event Log Security 4794 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Azure Active Directory Update user Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Disable Strong Authentication Azure icon Azure azure:monitor:aad Azure AD
AWS CloudTrail DescribeEventAggregates AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeactivateMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeleteVirtualMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
Azure Active Directory Reset password (by admin) Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Enable account Azure icon Azure azure:monitor:aad Azure AD

References

Source: GitHub | Version: 2