Scattered Spider

MITRE Techniques

• [T1589] Gather Victim Identity Information – Scattered Spider gathers usernames, passwords, and PII for targeted organizations.
• [T1598] Phishing for Information – Poses as IT/helpdesk staff via calls and SMS to obtain credentials and access.
• [T1660] Phishing (Mobile) – Uses smishing attacks targeting organizations via SMS.
• [T1566.004] Phishing: Spearphishing Voice – Conducts voice calls to convince helpdesk personnel to reset passwords or MFA tokens.
• [T1199] Trusted Relationship – Abuses trusted contracted IT helpdesk relationships to gain access.
• [T1078.002] Valid Accounts: Domain Accounts – Uses valid domain accounts for initial access and persistence.
• [T1204] User Execution – Directs employees to run remote access tools for network access.
• [TA0003] Persistence – Maintains network presence using remote monitoring and management (RMM) tools and account creation.
• [T1136] Create Account – Creates new user accounts to sustain persistence on networks.
• [T1556.006] Modify Authentication Process: Multi-Factor Authentication – Registers or modifies MFA tokens to maintain access.
• [TA0004] Privilege Escalation – Escalates privileges on compromised networks.
• [T1484.002] Domain Policy Modification: Domain Trust Modification – Adds federated identity providers to SSO environments.
• [T1578.002] Modify Cloud Compute Infrastructure: Create Cloud Instance – Creates cloud instances for lateral movement.
• [T1656] Impersonation – Poses as IT staff to manipulate employees and gain credentials.
• [TA0006] Credential Access – Utilizes tools such as Raccoon Stealer to obtain credentials.
• [T1606] Forge Web Credentials – Forges MFA tokens to bypass authentication.
• [T1621] Multi-Factor Authentication Request Generation – Uses repeated MFA prompts to cause users to approve requests.
• [T1552.001] Unsecured Credentials: Credentials in Files – Searches for stored credentials on systems.
• [T1552.004] Unsecured Credentials: Private Keys – Searches for stored private keys on systems.
• [T1451] SIM Swap – Conducts SIM swap attacks to intercept MFA codes and credentials.
• [TA0007] Discovery – Searches for SharePoint, credential documentation, VMware, backups, and enumerates Active Directory.
• [T1217] Browser Information Discovery – Obtains browser history via stealer malware.
• [T1538] Cloud Service Dashboard – Uses AWS Systems Manager Inventory for target discovery.
• [T1083] File and Directory Discovery – Searches files and directories for sensitive data.
• [T1018] Remote System Discovery – Locates remote infrastructure components.
• [T1539] Steal Web Session Cookie – Collects browser cookies for session hijacking.
• [TA0008] Lateral Movement – Moves laterally across networks and cloud instances.
• [T1021.007] Remote Services: Cloud Services – Uses pre-existing cloud services for lateral movement.
• [T1213.003] Data from Information Repositories: Code Repositories – Extracts code repository data.
• [T1213.002] Data from Information Repositories: SharePoint – Exfiltrates SharePoint data.
• [T1074] Data Staged – Stages collected data centrally prior to exfiltration.
• [T1114] Email Collection – Searches emails for detection of intrusion or security response information.
• [T1530] Data from Cloud Storage – Exfiltrates data stored in cloud environments.
• [T1219] Remote Access Software – Uses commercial remote access tools for command and control.
• [T1090] Proxy – Utilizes proxy networks to mask malicious traffic sources.
• [TA0010] Exfiltration – Exfiltrates stolen data to cloud services and other sites.
• [T1567] Exfiltration Over Web Service – Uses platforms like Snowflake for data exfiltration.
• [T1486] Data Encrypted for Impact – Encrypts systems and demands ransom, including VMware ESXi servers.
• [T1567.002] Exfiltration Over Web Service: Exfiltration to Cloud Storage – Exfiltrates data to U.S.-based data centers and MEGA.NZ.
• [T1657] Financial Theft – Monetizes network access through data theft and extortion-enabled ransomware.