Skip to content

Hide Navigation Hide TOC

LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7)

LAPSUS$ is cyber criminal threat group that has been active since at least mid-2021. LAPSUS$ specializes in large-scale social engineering and extortion operations, including destructive attacks without the use of ransomware. The group has targeted organizations globally, including in the government, manufacturing, higher education, energy, healthcare, technology, telecommunications, and media sectors.(Citation: BBC LAPSUS Apr 2022)(Citation: MSTIC DEV-0537 Mar 2022)(Citation: UNIT 42 LAPSUS Mar 2022)

Cluster A Galaxy A Cluster B Galaxy B Level
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Account Access Removal - T1531 (b24e2a20-3b3d-4bf0-823b-1ed765398fb0) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set SIM Card Swap - T1451 (a64a820a-cb21-471f-920c-506a2ff04fa5) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Purchase Technical Data - T1597.002 (0a241b6c-7bb2-48f9-98f7-128145b4d27f) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Business Relationships - T1591.002 (6ee2dc99-91ad-4534-a7d8-a649358c331f) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Credentials - T1589.001 (bc76d0a4-db11-4551-9ac4-01a469cfb161) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set DNS Server - T1584.002 (c2f59d25-87fe-44aa-8f83-e8e59d077bf5) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Identify Roles - T1591.004 (cc723aff-ec88-40e3-a224-5af9fd983cc4) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 1
LAPSUS$ - G1004 (d8bc9788-4f7d-41a9-9e9d-ee1ea18a8cf7) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
Code Repositories - T1213.003 (cff94884-3b1c-4987-a70b-6d5643c621c3) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Messaging Applications - T1213.005 (fb75213f-cfb0-40bf-a02f-3bad93d6601e) Attack Pattern 2
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 2
Create Cloud Instance - T1578.002 (cf1c2504-433f-4c4e-a1f8-91de45a0318c) Attack Pattern Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 2
Purchase Technical Data - T1597.002 (0a241b6c-7bb2-48f9-98f7-128145b4d27f) Attack Pattern Search Closed Sources - T1597 (a51eb150-93b1-484b-a503-e51453b127a4) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970) Attack Pattern 2
Virtual Private Server - T1583.003 (79da0971-3147-4af6-a4f5-e8cd447cd795) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Business Relationships - T1591.002 (6ee2dc99-91ad-4534-a7d8-a649358c331f) Attack Pattern Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern 2
Credentials - T1589.001 (bc76d0a4-db11-4551-9ac4-01a469cfb161) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
DNS Server - T1584.002 (c2f59d25-87fe-44aa-8f83-e8e59d077bf5) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 2
Modify Cloud Compute Infrastructure - T1578 (144e007b-e638-431d-a894-45d90c54ab90) Attack Pattern Delete Cloud Instance - T1578.003 (70857657-bd0b-4695-ad3e-b13f92cac1b4) Attack Pattern 2
Chat Messages - T1552.008 (9664ad0e-789e-40ac-82e2-d7b17fbe8fb3) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 2
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Voice - T1598.004 (6a5d222a-a7e0-4656-b110-782c33098289) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Password Managers - T1555.005 (315f51f0-6b03-4c1e-bfb2-84740afb8e21) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern 2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65) Attack Pattern 2
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
Confluence - T1213.001 (7ad38ef1-381a-406d-872a-38b136eb5ecc) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
Code Repositories - T1593.003 (70910fbd-58dc-4c1c-8c48-814d11fcd022) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Cloud Roles - T1098.003 (2dbbdcd5-92cf-44c0-aea2-fe24783a6bc3) Attack Pattern 2
Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern Identify Roles - T1591.004 (cc723aff-ec88-40e3-a224-5af9fd983cc4) Attack Pattern 2
Sharepoint - T1213.002 (0c4b4fda-9062-47da-98b9-ceae2dcf052a) Attack Pattern Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3