Scattered Spider

Scattered SpiderRoasted 0ktapusOcto TempestStorm-0875UNC3944

[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023) [Scattered...

Techniques

Covered

Gaps

95%

Coverage

Coverage61/64

GAPS (3)

T1213.005Messaging Applications T1585.001Social Media Accounts T1598.004Spearphishing Voice

COVERED (61)

T1003.003NTDS34 det.T1006Direct Volume Access8 det.T1016System Network Configuration Discovery35 det.T1018Remote System Discovery46 det.T1021.001Remote Desktop Protocol51 det.T1021.004SSH31 det.T1021.007Cloud Services10 det.T1041Exfiltration Over C2 Channel30 det.T1059.001PowerShell338 det.T1059.004Unix Shell149 det.T1068Exploitation for Privilege Escalation91 det.T1069Permission Groups Discovery24 det.T1069.002Domain Groups42 det.T1070.008Clear Mailbox Data8 det.T1074Data Staged12 det.T1078Valid Accounts252 det.T1078.004Cloud Accounts149 det.T1082System Information Discovery80 det.T1083File and Directory Discovery48 det.T1087Account Discovery40 det.T1087.002Domain Account55 det.T1090Proxy44 det.T1098Account Manipulation186 det.T1098.003Additional Cloud Roles53 det.T1105Ingress Tool Transfer170 det.T1114Email Collection17 det.T1114.003Email Forwarding Rule10 det.T1133External Remote Services72 det.T1136Create Account32 det.T1204User Execution84 det.T1213.003Code Repositories9 det.T1217Browser Information Discovery4 det.T1219.002Remote Desktop Software48 det.T1484.002Trust Modification14 det.T1486Data Encrypted for Impact339 det.T1490Inhibit System Recovery56 det.T1530Data from Cloud Storage30 det.T1538Cloud Service Dashboard2 det.T1539Steal Web Session Cookie12 det.T1543.002Systemd Service12 det.T1552.001Credentials In Files53 det.T1552.004Private Keys20 det.T1553.002Code Signing3 det.T1555.005Password Managers4 det.T1556.006Multi-Factor Authentication25 det.T1556.009Conditional Access Policies4 det.T1562.001Disable or Modify Tools300 det.T1564.008Email Hiding Rules4 det.T1567.002Exfiltration to Cloud Storage27 det.T1572Protocol Tunneling51 det.T1578.002Create Cloud Instance2 det.T1580Cloud Infrastructure Discovery24 det.T1583.001Domains61 det.T1588.001Malware2 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1598Phishing for Information843 det.T1598.003Spearphishing Link271 det.T1621Multi-Factor Authentication Request Generation23 det.T1656Impersonation172 det.T1657Financial Theft12 det.