Permiso Demo

​

Multi-Plane Alert Details

Signature

LUCR3 - Multiple TTPs

P0_LUCR3_MULTIPLE_TTPS

Time

02:21:14

2023-11-09

Severity

9.0

Critical

Environment

Description

Multiple TTPs related to LUCR-3 have been found in your environment, sourcing from two (2) identities (jean-luc picard, harry):

  • MFA Default Method Downgraded
  • Weak Authentication Method Registered
  • Sensitive Search Query Performed
  • Cloudtrail Trail Stopped
  • EC2 SSH with Root
  • SecretsManger Harvesting
  • AWS Accesskey Created
  • S3 Browser usage
  • Github Bulk Repository Download

 

Who is LUCR-3?

LUCR-3 (Scattered Spider) is a financially motivated threat actor specializing in leveraging Identity Providers (IDPs) for initial access, with the goal of stealing Intellectual Property (IP) for extortion purposes. Read more about the group

MITRE Tactics

Initial Access, Persistence, Credential Access, Lateral Movement, Privilege Escalation, Defense Evasion, Exfiltration

MITRE Techniques

T1048, T1078.004, T1136.003, T1562.008, T1021.004, T1556, T1098

Summary

3

Identities

1

Credentials

1

Secrets

1

Resources

10

Alerts

18

Sessions

3

Environments

11h 5m 19s

Duration

Inventory

Entities related to this multi-plane alert

Timeline

15:21:14

2023-11-08

Entra ID - User MFA Default Method Downgraded

15:21:14

2023-11-08

Entra ID - Weak Auth Method Registered

01:43:32

2023-11-09

Human Identity Created Access Key

01:43:32

2023-11-09

SecretsManager Harvesting from Cloudshell

01:43:32

2023-11-09

EC2 - SSH with Root Username

01:43:32

2023-11-09

CloudTrail Trail Stopped

02:19:51

2023-11-09

S3 Browser User Agent Activity

02:21:14

2023-11-09

S3 Browser User Agent Activity

02:26:32

2023-11-09

GH: Bulk Repository Download

15:21:14

2023-11-08

jeanluc@permisodemo.com

02:19:51

2023-11-09

Harry

No filters applied.

Permiso Security Palo Alto, CA