GitHub Repo

Analytics Story: Scattered Lapsus$ Hunters

Updated Date: 2026-05-13 ID: be9e9520-48eb-4af2-8ff7-dd2dee2f5705 Author: Michael Haag, Splunk Product: Splunk Enterprise Security

Description

Scattered Lapsus$ Hunters is a collaboration of three sophisticated threat actor groups (Scattered Spider, Lapsus$, and Shiny Hunters) known for devastating supply chain attacks, advanced social engineering, MFA bypass techniques, and credential theft. The group gained notoriety following their September 2025 attack on Jaguar Land Rover, causing three weeks of production shutdown and £50M+ weekly losses.

Why it matters

Scattered Lapsus$ Hunters represents a dangerous collaboration between Scattered Spider (UNC3944), Lapsus$, and Shiny Hunters - three threat actor groups that combine sophisticated social engineering expertise with advanced technical capabilities. Their September 2025 cyberattack on Jaguar Land Rover demonstrated the catastrophic potential of targeting critical supply chain infrastructure, resulting in a three-week production shutdown, tens of millions in weekly losses, and thousands of jobs at risk across the automotive supply chain. The group's attack methodology begins with sophisticated initial access through voice phishing (vishing), SMS phishing (smishing), and SIM swapping to compromise credentials and bypass multi-factor authentication. They employ advanced MFA bypass techniques including MFA fatigue attacks through repeated push notifications, SIM swapping to intercept SMS codes, and adversary-in-the-middle attacks on authentication flows. Once inside a network, they leverage legitimate remote management tools (AnyDesk, TeamViewer, ScreenConnect) to maintain persistence and evade detection, following a living-off-the-land approach that minimizes custom malware. For credential access, the group employs tools like Mimikatz for credential dumping, targets LSASS memory, extracts browser-stored credentials, and steals OAuth tokens and session cookies. They excel at lateral movement using RDP, Pass-the-Hash and Pass-the-Ticket techniques, and internal spearphishing. The group demonstrates deep understanding of cloud environments, targeting Azure AD, AWS, GCP, and O365 with techniques to disable MFA, create privileged accounts, assign administrative roles to service principals, and modify authentication policies. Data exfiltration occurs through cloud storage services (MEGA, Google Drive), file sharing platforms, and custom exfiltration channels. The impact phase includes stopping critical services, deploying ransomware, system shutdowns to maximize disruption, and data destruction. Previous notable attacks attributed to the constituent groups include Lapsus$ breaches of Microsoft, Nvidia, Okta, Samsung, and Ubisoft (2022), and Scattered Spider attacks on MGM Resorts and Caesars Entertainment (2023). The group targets telecommunications, retail, technology, manufacturing, and critical infrastructure sectors. Organizations should implement phishing-resistant MFA (FIDO2/WebAuthn), monitor RMM tool deployment, enable comprehensive logging, deploy EDR solutions, train employees on advanced social engineering tactics, segment critical production systems, and maintain offline backups of critical data. The detections in this analytic story cover the full attack lifecycle including MFA manipulation, unauthorized remote access software, credential theft, session hijacking, privilege escalation, defense evasion, data exfiltration, and production system disruption.

Detections

Name ▲▼ Technique ▲▼ Type ▲▼
Detect Path Interception By Creation Of program exe Path Interception by Unquoted Path TTP
Windows Impair Defense Disable Defender Protocol Recognition Disable or Modify Tools TTP
AdsiSearcher Account Discovery Domain Account TTP
Internal Horizontal Port Scan NMAP Top 20 Network Service Discovery TTP
Nginx ConnectWise ScreenConnect Authentication Bypass Exploit Public-Facing Application TTP
Windows Credentials from Password Stores Chrome Copied in TEMP Dir Credentials from Web Browsers TTP
Linux Auditd Find Credentials From Password Managers Password Managers TTP
Internal Horizontal Port Scan Network Service Discovery TTP
Windows AD DSRM Account Changes Account Manipulation TTP
Detect Excessive User Account Lockouts Local Accounts Anomaly
Windows Impair Defense Disable Win Defender Network Protection Disable or Modify Tools TTP
Azure AD Privileged Role Assigned to Service Principal Additional Cloud Roles TTP
Azure AD Service Principal New Client Credentials Additional Cloud Credentials TTP
Detect IPv6 Network Infrastructure Threats Hardware Additions, Network Denial of Service, ARP Cache Poisoning TTP
Internal Vulnerability Scan Network Service Discovery, Vulnerability Scanning TTP
Permission Modification using Takeown App File and Directory Permissions Modification Anomaly
Windows Non-System Account Targeting Lsass LSASS Memory TTP
Windows Impair Defense Disable PUA Protection Disable or Modify Tools TTP
Windows Access Token Manipulation SeDebugPrivilege Create Process with Token Anomaly
Protocols passing authentication in cleartext None Anomaly
Monitor Email For Brand Abuse None TTP
O365 Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Access LSASS Memory for Dump Creation LSASS Memory TTP
Domain Group Discovery with Adsisearcher Domain Groups TTP
Cisco Smart Install Port Discovery and Status Exploit Public-Facing Application TTP
GCP Successful Single-Factor Authentication Cloud Accounts, Cloud Accounts TTP
O365 Privileged Role Assigned To Service Principal Additional Cloud Roles TTP
AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
Mimikatz PassTheTicket CommandLine Parameters Pass the Ticket TTP
Windows Kerberos Local Successful Logon Steal or Forge Kerberos Tickets TTP
Windows Impair Defense Disable Win Defender Signature Retirement Disable or Modify Tools TTP
Suspicious Computer Account Name Change Domain Accounts TTP
Windows PowerShell FakeCAPTCHA Clipboard Execution PowerShell, Windows Command Shell, Malicious Link TTP
ASL AWS Create Policy Version to allow all resources Cloud Accounts TTP
Azure AD Privileged Role Assigned Additional Cloud Roles TTP
Windows Remote Service Rdpwinst Tool Execution Remote Desktop Protocol TTP
Citrix ADC and Gateway Unauthorized Data Disclosure Exploit Public-Facing Application TTP
Unusual Number of Computer Service Tickets Requested Valid Accounts Hunting
Windows AD DSRM Password Reset Account Manipulation TTP
GCP Authentication Failed During MFA Challenge Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Kerberos TGT Request Using RC4 Encryption Use Alternate Authentication Material TTP
Detect Remote Access Software Usage FileInfo Remote Access Tools Anomaly
Gsuite Drive Share In External Email Exfiltration to Cloud Storage Anomaly
Windows RMM Named Pipe SMB/Windows Admin Shares, Process Injection, Inter-Process Communication Anomaly
Windows Terminating Lsass Process Disable or Modify Tools Anomaly
Windows Service Stop Attempt Service Stop Hunting
Azure AD Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts TTP
AWS Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Windows System Shutdown CommandLine System Shutdown/Reboot Anomaly
Windows Cisco Secure Endpoint Related Service Stopped Inhibit System Recovery Anomaly
Detect New Local Admin account Local Account TTP
GCP Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts TTP
Ivanti VTM New Account Creation Exploit Public-Facing Application TTP
Windows System LogOff Commandline System Shutdown/Reboot Anomaly
Okta MFA Exhaustion Hunt Brute Force Hunting
ASL AWS Concurrent Sessions From Different Ips Browser Session Hijacking Anomaly
Windows Impair Defense Disable Defender Firewall And Network Disable or Modify Tools TTP
GCP Multiple Failed MFA Requests For User Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Rubeus Command Line Parameters Pass the Ticket, Kerberoasting, AS-REP Roasting TTP
Dump LSASS via comsvcs DLL LSASS Memory TTP
Windows Privileged Group Modification Local Account, Domain Account TTP
PowerShell Invoke WmiExec Usage Windows Management Instrumentation TTP
Windows LSA Secrets NoLMhash Registry LSA Secrets TTP
Azure AD Application Administrator Role Assigned Additional Cloud Roles TTP
Detect Remote Access Software Usage Registry Remote Access Tools Anomaly
Okta Suspicious Use of a Session Cookie Steal Web Session Cookie Anomaly
Windows PowerShell Export PfxCertificate Private Keys, Steal or Forge Authentication Certificates Anomaly
Windows Password Managers Discovery Password Managers Anomaly
Windows Hunting System Account Targeting Lsass LSASS Memory Hunting
Azure AD Concurrent Sessions From Different Ips Browser Session Hijacking TTP
Local Account Discovery With Wmic Local Account Hunting
Detect Remote Access Software Usage File Remote Access Tools Anomaly
Cisco Secure Firewall - Connection to File Sharing Domain Web Protocols, External Proxy, Ingress Tool Transfer, Exfiltration to Cloud Storage, Tool Anomaly
Windows Credentials from Web Browsers Saved in TEMP Folder Credentials from Web Browsers TTP
O365 Privileged Role Assigned Additional Cloud Roles TTP
Okta New Device Enrolled on Account Device Registration TTP
Azure AD Privileged Authentication Administrator Role Assigned Security Account Manager TTP
Windows Credential Dumping LSASS Memory Createdump LSASS Memory TTP
Okta Multi-Factor Authentication Disabled Multi-Factor Authentication TTP
Windows System Reboot CommandLine System Shutdown/Reboot Hunting
ASL AWS Create Access Key Cloud Account Hunting
AWS Multi-Factor Authentication Disabled Multi-Factor Authentication, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
Creation of lsass Dump with Taskmgr LSASS Memory TTP
ASL AWS Network Access Control List Deleted Cloud Firewall Anomaly
Windows Event Logging Service Has Shutdown Clear Windows Event Logs Hunting
Azure AD PIM Role Assignment Activated Additional Cloud Roles TTP
Cisco NVM - Rclone Execution With Network Activity Exfiltration to Cloud Storage Anomaly
Windows Disable or Stop Browser Process Disable or Modify Tools TTP
Detect Remote Access Software Usage Process Remote Access Tools Anomaly
Detect Remote Access Software Usage DNS Remote Access Tools Anomaly
Gdrive suspicious file sharing Phishing Hunting
Windows Security And Backup Services Stop Inhibit System Recovery TTP
GetAdGroup with PowerShell Script Block Domain Groups Hunting
Azure AD Global Administrator Role Assigned Additional Cloud Roles TTP
Linux Auditd Find Credentials From Password Stores Password Managers TTP
Azure AD New MFA Method Registered Device Registration TTP
Azure AD PIM Role Assigned Additional Cloud Roles TTP
Windows Create Local Account Local Account Anomaly
Detect Rogue DHCP Server Hardware Additions, Network Denial of Service, Adversary-in-the-Middle TTP
Okta Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation Anomaly
Windows Modify Registry Tamper Protection Modify Registry TTP
Okta Mismatch Between Source and Response for Verify Push Request Multi-Factor Authentication Request Generation TTP
GCP Kubernetes cluster pod scan detection Cloud Service Discovery Hunting
Linux Impair Defenses Process Kill Disable or Modify Tools Hunting
O365 Multiple Failed MFA Requests For User Multi-Factor Authentication Request Generation TTP
Cisco Secure Firewall - Remote Access Software Usage Traffic Remote Access Tools Anomaly
Windows RDP Login Session Was Established Remote Desktop Protocol Anomaly
PowerShell Invoke CIMMethod CIMSession Windows Management Instrumentation Anomaly
Windows Local Administrator Credential Stuffing Credential Stuffing TTP
Detect Remote Access Software Usage Traffic Remote Access Tools Anomaly
Detect New Login Attempts to Routers None TTP
Windows SpeechRuntime COM Hijacking DLL Load Distributed Component Object Model TTP
Windows Credentials from Password Stores Chrome Login Data Access Query Registry Anomaly
ASL AWS IAM Assume Role Policy Brute Force Brute Force, Cloud Infrastructure Discovery TTP
Windows Security Account Manager Stopped Service Stop TTP
ASL AWS Credential Access RDS Password reset Brute Force, Cloud Accounts TTP
Windows Possible Credential Dumping LSASS Memory TTP
Azure AD User Enabled And Password Reset Account Manipulation TTP
Windows Credentials from Password Stores Chrome LocalState Access Query Registry Anomaly
Azure AD New MFA Method Registered For User Multi-Factor Authentication TTP
Windows Create Local Administrator Account Via Net Local Account Anomaly
Okta Authentication Failed During MFA Challenge Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation TTP
PingID New MFA Method After Credential Reset Device Registration, Multi-Factor Authentication, Multi-Factor Authentication Request Generation TTP
Linux Auditd Hardware Addition Swapoff Hardware Additions Anomaly
PowerShell Start or Stop Service PowerShell Anomaly
Windows Credential Access From Browser Password Store Query Registry Anomaly
Detect Remote Access Software Usage URL Remote Access Tools Anomaly
Okta New API Token Created Default Accounts TTP
Disable Windows Behavior Monitoring Disable or Modify Tools TTP
Windows Impair Defenses Disable AV AutoStart via Registry Modify Registry TTP
Rubeus Kerberos Ticket Exports Through Winlogon Access Pass the Ticket TTP
Azure AD New Federated Domain Added Trust Modification TTP
Kerberos Service Ticket Request Using RC4 Encryption Golden Ticket TTP
Linux Hardware Addition SwapOff Hardware Additions Anomaly
Detect Credential Dumping through LSASS access LSASS Memory TTP
Windows Impair Defense Deny Security Software With Applocker Disable or Modify Tools TTP
Internal Vertical Port Scan Network Service Discovery TTP

Data Sources

Name ▲▼ Platform ▲▼ Sourcetype ▲▼ Source ▲▼
CrowdStrike ProcessRollup2 Other crowdstrike:events:sensor crowdstrike
Sysmon EventID 1 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4688 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 13 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Powershell Script Block Logging 4104 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-PowerShell/Operational
Cisco Secure Firewall Threat Defense Connection Event Other cisco:sfw:estreamer not_applicable
AWS CloudWatchLogs VPCflow AWS icon AWS aws:cloudwatchlogs:vpcflow aws_cloudwatchlogs_vpcflow
Nginx Access Other nginx:plus:kv /var/log/nginx/access.log
Sysmon EventID 11 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Linux Auditd Execve Linux icon Linux auditd auditd
Azure Active Directory Add member to role Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Azure icon Azure azure:monitor:aad Azure AD
Cisco IOS Logs Other cisco:ios cisco:ios
Sysmon EventID 10 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4703 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
O365 UserLoggedIn Other o365:management:activity o365
Splunk Stream TCP Splunk icon Splunk stream:tcp stream:tcp
Google Workspace Other gws:reports:login google_workspace
Office 365 Universal Audit Log Other o365:management:activity o365
AWS CloudTrail ModifyDBInstance AWS icon AWS aws:cloudtrail aws_cloudtrail
Windows Event Log Security 4624 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4781 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Cisco Network Visibility Module Flow Data Network icon Network cisco:nvm:flowdata not_applicable
ASL AWS CloudTrail AWS icon AWS aws:asl aws_asl
Suricata Other suricata not_applicable
Windows Event Log Security 4769 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4794 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Google Workspace login_failure Other gws:reports:admin gws:reports:admin
Windows Event Log Security 4768 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
G Suite Drive Other gsuite:drive:json http:gsuite
Sysmon EventID 18 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Sysmon EventID 17 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Azure Active Directory Disable Strong Authentication Azure icon Azure azure:monitor:aad Azure AD
AWS CloudTrail DescribeEventAggregates AWS icon AWS aws:cloudtrail aws_cloudtrail
Windows Event Log System 7036 Windows icon Windows XmlWinEventLog XmlWinEventLog:System
Windows Event Log Security 4720 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4732 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Ivanti VTM Audit Other ivanti_vtm_audit ivanti_vtm
Okta Other OktaIM2:log Okta
Windows Event Log Security 4759 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4727 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4744 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4749 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4756 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4731 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4783 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4754 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Windows Event Log Security 4790 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
AWS CloudTrail DeleteVirtualMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
AWS CloudTrail DeactivateMFADevice AWS icon AWS aws:cloudtrail aws_cloudtrail
Windows Event Log Security 1100 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Sysmon EventID 22 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Azure Active Directory Update user Azure icon Azure azure:monitor:aad Azure AD
Sysmon for Linux EventID 1 Linux icon Linux sysmon:linux Syslog:Linux-Sysmon/Operational
O365 UserLoginFailed Other o365:management:activity o365
Windows Event Log Security 4625 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Palo Alto Network Traffic Network icon Network pan:traffic not_applicable
Sysmon EventID 7 Windows icon Windows XmlWinEventLog XmlWinEventLog:Microsoft-Windows-Sysmon/Operational
Windows Event Log Security 4663 Windows icon Windows XmlWinEventLog XmlWinEventLog:Security
Azure Active Directory Reset password (by admin) Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory Enable account Azure icon Azure azure:monitor:aad Azure AD
Azure Active Directory User registered security info Azure icon Azure azure:monitor:aad Azure AD
PingID Other XmlWinEventLog XmlWinEventLog:Security
Palo Alto Network Threat Network icon Network pan:threat not_applicable
Azure Active Directory Set domain authentication Azure icon Azure azure:monitor:aad Azure AD

References

Source: GitHub | Version: 2