Created
February 21, 2024 17:12
-
-
Save SyCode7/235fa9288e05e1c0b6ff16026a522a3a to your computer and use it in GitHub Desktop.
scattered_spider threat group
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| { | |
| "name": "Scattered Spider (G1015)", | |
| "versions": { | |
| "attack": "14", | |
| "navigator": "4.9.1", | |
| "layer": "4.5" | |
| }, | |
| "domain": "enterprise-attack", | |
| "description": "Enterprise techniques used by Scattered Spider, ATT&CK group G1015 (v1.0)", | |
| "filters": { | |
| "platforms": [ | |
| "IaaS" | |
| ] | |
| }, | |
| "sorting": 2, | |
| "layout": { | |
| "layout": "side", | |
| "aggregateFunction": "average", | |
| "showID": false, | |
| "showName": true, | |
| "showAggregateScores": false, | |
| "countUnscored": false, | |
| "expandedSubtechniques": "none" | |
| }, | |
| "hideDisabled": false, | |
| "techniques": [ | |
| { | |
| "techniqueID": "T1087.003", | |
| "tactic": "discovery", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to identify email addresses.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1087.004", | |
| "tactic": "discovery", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1098.001", | |
| "tactic": "persistence", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1098.001", | |
| "tactic": "privilege-escalation", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1098.003", | |
| "tactic": "persistence", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1098.003", | |
| "tactic": "privilege-escalation", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1098.005", | |
| "tactic": "persistence", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) registered devices for MFA to maintain persistence through victims' VPN.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1098.005", | |
| "tactic": "privilege-escalation", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) registered devices for MFA to maintain persistence through victims' VPN.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1530", | |
| "tactic": "collection", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1213.002", | |
| "tactic": "collection", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1190", | |
| "tactic": "initial-access", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1068", | |
| "tactic": "privilege-escalation", | |
| "score": 1, | |
| "color": "#66b1ff", | |
| "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1133", | |
| "tactic": "persistence", | |
| "score": 1, | |
| "color": "#ff66f4", | |
| "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged legitimate remote management tools to maintain persistent access.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used Citrix and VPNs to persist in compromised environments.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1133", | |
| "tactic": "initial-access", | |
| "score": 1, | |
| "color": "#ff66f4", | |
| "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged legitimate remote management tools to maintain persistent access.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used Citrix and VPNs to persist in compromised environments.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1589.001", | |
| "tactic": "reconnaissance", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) sent phishing messages via SMS to steal credentials.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1656", | |
| "tactic": "defense-evasion", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1105", | |
| "tactic": "command-and-control", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) downloaded tools using victim organization systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1578.002", | |
| "tactic": "defense-evasion", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used access to the victim's Azure tenant to create Azure VMs.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1621", | |
| "tactic": "credential-access", | |
| "score": 1, | |
| "color": "#ff66f4", | |
| "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1046", | |
| "tactic": "discovery", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), used RustScan to scan for open ports on targeted ESXi appliances.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1588.002", | |
| "tactic": "resource-development", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1003.006", | |
| "tactic": "credential-access", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) performed domain replication.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1069.003", | |
| "tactic": "discovery", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to download bulk lists of group members and their Active Directory attributes.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1566.004", | |
| "tactic": "initial-access", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1598", | |
| "tactic": "reconnaissance", | |
| "score": 1, | |
| "color": "#66b1ff", | |
| "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1598.001", | |
| "tactic": "reconnaissance", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) sent Telegram messages impersonating IT personnel to harvest credentials.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1598.004", | |
| "tactic": "reconnaissance", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used phone calls to instruct victims to navigate to credential-harvesting websites.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1572", | |
| "tactic": "command-and-control", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used SSH tunneling in targeted environments.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1090", | |
| "tactic": "command-and-control", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1219", | |
| "tactic": "command-and-control", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) directed victims to run remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1021.007", | |
| "tactic": "lateral-movement", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1553.002", | |
| "tactic": "defense-evasion", | |
| "score": 1, | |
| "color": "#66b1ff", | |
| "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1078.004", | |
| "tactic": "defense-evasion", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) leveraged compromised credentials from victim users to authenticate to Azure tenants.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1078.004", | |
| "tactic": "persistence", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) leveraged compromised credentials from victim users to authenticate to Azure tenants.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1078.004", | |
| "tactic": "privilege-escalation", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) leveraged compromised credentials from victim users to authenticate to Azure tenants.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1078.004", | |
| "tactic": "initial-access", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) leveraged compromised credentials from victim users to authenticate to Azure tenants.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1102", | |
| "tactic": "command-and-control", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) downloaded tools from sites including file.io, GitHub, and paste.ee.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| }, | |
| { | |
| "techniqueID": "T1047", | |
| "tactic": "execution", | |
| "score": 1, | |
| "color": "#ff6666", | |
| "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used Windows Management Instrumentation (WMI) to move laterally via [Impacket](https://attack.mitre.org/software/S0357).(Citation: Crowdstrike TELCO BPO Campaign December 2022)", | |
| "enabled": true, | |
| "metadata": [], | |
| "links": [], | |
| "showSubtechniques": false | |
| } | |
| ], | |
| "gradient": { | |
| "colors": [ | |
| "#ffffffff", | |
| "#66b1ffff" | |
| ], | |
| "minValue": 0, | |
| "maxValue": 1 | |
| }, | |
| "legendItems": [ | |
| { | |
| "color": "#66b1ff", | |
| "label": "used by Scattered Spider" | |
| }, | |
| { | |
| "color": "#ff6666", | |
| "label": "used by a campaign attributed to Scattered Spider" | |
| }, | |
| { | |
| "color": "#ff66f4", | |
| "label": "used by Scattered Spider and used by a campaign attributed to Scattered Spider" | |
| } | |
| ], | |
| "metadata": [], | |
| "links": [], | |
| "showTacticRowBackground": false, | |
| "tacticRowBackground": "#dddddd", | |
| "selectTechniquesAcrossTactics": true, | |
| "selectSubtechniquesWithParent": false, | |
| "selectVisibleTechniques": false | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment