Scattered Spider

Scattered SpiderRoasted 0ktapusOcto TempestStorm-0875UNC3944

[Scattered Spider](https://attack.mitre.org/groups/G1015) is a native English-speaking cybercriminal group active since at least 2022. (Citation: CrowdStrike Scattered Spider Profile) (Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management (CRM) providers, business process outsourcing (BPO) firms, and telecommunications and technology companies before expanding in 2023 to gaming, hospitality, retail, managed service provider (MSP), manufacturing, and financial sectors. (Citation: MSTIC Octo Tempest Operations October 2023) [Scattered...

Techniques

Covered

Gaps

94%

Coverage

Coverage62/66

GAPS (4)

T1213.005Messaging Applications T1585.001Social Media Accounts T1598.004Spearphishing Voice T1684.001Impersonation

COVERED (62)

T1003.003NTDS36 det.T1006Direct Volume Access8 det.T1016System Network Configuration Discovery39 det.T1018Remote System Discovery50 det.T1021.001Remote Desktop Protocol53 det.T1021.004SSH34 det.T1021.007Cloud Services12 det.T1041Exfiltration Over C2 Channel31 det.T1059.001PowerShell368 det.T1059.004Unix Shell155 det.T1068Exploitation for Privilege Escalation99 det.T1069Permission Groups Discovery31 det.T1069.002Domain Groups44 det.T1070.008Clear Mailbox Data10 det.T1074Data Staged12 det.T1078Valid Accounts280 det.T1078.004Cloud Accounts167 det.T1082System Information Discovery86 det.T1083File and Directory Discovery48 det.T1087Account Discovery50 det.T1087.002Domain Account57 det.T1090Proxy46 det.T1098Account Manipulation213 det.T1098.003Additional Cloud Roles53 det.T1105Ingress Tool Transfer183 det.T1114Email Collection18 det.T1114.003Email Forwarding Rule15 det.T1133External Remote Services72 det.T1136Create Account38 det.T1204User Execution85 det.T1213.003Code Repositories9 det.T1217Browser Information Discovery4 det.T1219.002Remote Desktop Software50 det.T1484.002Trust Modification14 det.T1486Data Encrypted for Impact360 det.T1490Inhibit System Recovery59 det.T1530Data from Cloud Storage32 det.T1538Cloud Service Dashboard2 det.T1539Steal Web Session Cookie15 det.T1543.002Systemd Service12 det.T1552.001Credentials In Files61 det.T1552.004Private Keys22 det.T1553.002Code Signing3 det.T1555.005Password Managers4 det.T1556.006Multi-Factor Authentication25 det.T1556.009Conditional Access Policies4 det.T1562.001Disable or Modify Tools311 det.T1564.008Email Hiding Rules9 det.T1567.002Exfiltration to Cloud Storage29 det.T1572Protocol Tunneling56 det.T1578.002Create Cloud Instance4 det.T1580Cloud Infrastructure Discovery26 det.T1583.001Domains61 det.T1588.001Malware2 det.T1588.002Tool13 det.T1589Gather Victim Identity Information1 det.T1598Phishing for Information902 det.T1598.003Spearphishing Link285 det.T1621Multi-Factor Authentication Request Generation23 det.T1656Impersonation184 det.T1657Financial Theft14 det.T1685Disable or Modify Tools278 det.