Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Scattered Spider

Scattered Spider is a native English-speaking cybercriminal group that has been active since at least 2022.(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023) The group initially targeted customer relationship management and business-process outsourcing (BPO) firms as well as telecommunications and technology companies. Beginning in 2023, Scattered Spider expanded its operations to compromise victims in the gaming, hospitality, retail, MSP, manufacturing, and financial sectors.(Citation: MSTIC Octo Tempest Operations October 2023) During campaigns, Scattered Spider has leveraged targeted social-engineering techniques, attempted to bypass popular endpoint security tools, and more recently, deployed ransomware for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: CrowdStrike Scattered Spider Profile)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Crowdstrike TELCO BPO Campaign December 2022)

ID: G1015

Associated Groups: Roasted 0ktapus, Octo Tempest, Storm-0875

Created: 05 Jul 2023

Last Modified: 04 Apr 2024

Name	Description
Associated Group Descriptions
Roasted 0ktapus	(Citation: CrowdStrike Scattered Spider BYOVD January 2023)
Octo Tempest	(Citation: Microsoft Threat Actor Naming July 2023)
Storm-0875	(Citation: Microsoft Threat Actor Naming July 2023)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1087	.002	Account Discovery: Domain Account	Scattered Spider leverages legitimate domain accounts to gain access to the target environment.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)
Enterprise	T1098	.003	Account Manipulation: Additional Cloud Roles	During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.(Citation: MSTIC Octo Tempest Operations October 2023)
Enterprise	T1213	.003	Data from Information Repositories: Code Repositories	Scattered Spider enumerates data stored within victim code repositories, such as internal GitHub repositories.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)
		.005	Data from Information Repositories: Messaging Applications	Scattered Spider threat actors search the victim’s Slack and Microsoft Teams for conversations about the intrusion and incident response.(Citation: CISA Scattered Spider Advisory November 2023)
Enterprise	T1484	.002	Domain or Tenant Policy Modification: Trust Modification	Scattered Spider adds a federated identity provider to the victim’s SSO tenant and activates automatic account linking.(Citation: CISA Scattered Spider Advisory November 2023)
Enterprise	T1567	.002	Exfiltration Over Web Service: Exfiltration to Cloud Storage	Scattered Spider has exfiltrated victim data to the MEGA file sharing site.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)
Enterprise	T1564	.008	Hide Artifacts: Email Hiding Rules	Scattered Spider creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.(Citation: MSTIC Octo Tempest Operations October 2023)
Enterprise	T1556	.006	Modify Authentication Process: Multi-Factor Authentication	After compromising user accounts, Scattered Spider registers their own MFA tokens.(Citation: CISA Scattered Spider Advisory November 2023)
		.009	Modify Authentication Process: Conditional Access Policies	Scattered Spider has added additional trusted locations to Azure AD conditional access policies. (Citation: MSTIC Octo Tempest Operations October 2023)
Enterprise	T1578	.002	Modify Cloud Compute Infrastructure: Create Cloud Instance	During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also created Amazon EC2 instances within the victim's environment.(Citation: CISA Scattered Spider Advisory November 2023)
Enterprise	T1003	.003	OS Credential Dumping: NTDS	Scattered Spider has extracted the `NTDS.dit` file by creating volume shadow copies of virtual domain controller disks.(Citation: MSTIC Octo Tempest Operations October 2023)
Enterprise	T1598	.004	Phishing for Information: Spearphishing Voice	During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.(Citation: MSTIC Octo Tempest Operations October 2023)
Enterprise	T1021	.007	Remote Services: Cloud Services	During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022) Scattered Spider has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.(Citation: CISA Scattered Spider Advisory November 2023)
Enterprise	T1553	.002	Subvert Trust Controls: Code Signing	Scattered Spider has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)
Enterprise	T1552	.001	Unsecured Credentials: Credentials In Files	Scattered Spider Spider searches for credential storage documentation on a compromised host.(Citation: CISA Scattered Spider Advisory November 2023)
		.004	Unsecured Credentials: Private Keys	Scattered Spider enumerate and exfiltrate code-signing certificates from a compromised host.(Citation: CISA Scattered Spider Advisory November 2023)

ID	Name	References	Techniques
Software
S0508	ngrok	(Citation: CISA Scattered Spider Advisory November 2023) (Citation: Cyware Ngrok May 2019) (Citation: FireEye Maze May 2020) (Citation: MalwareBytes LazyScripter Feb 2021) (Citation: Zdnet Ngrok September 2018)	Proxy, Exfiltration Over Web Service, Domain Generation Algorithms, Web Service, Protocol Tunneling
S1068	BlackCat	(Citation: ACSC BlackCat Apr 2022) (Citation: ALPHV) (Citation: CISA Scattered Spider Advisory November 2023) (Citation: Microsoft BlackCat Jun 2022) (Citation: MSTIC Octo Tempest Operations October 2023) (Citation: Noberus) (Citation: Sophos BlackCat Jul 2022)	Lateral Tool Transfer, Remote System Discovery, Data Encrypted for Impact, Service Stop, System Information Discovery, Bypass User Account Control, Domain Account, Modify Registry, Domain Groups, Clear Windows Event Logs, Windows Management Instrumentation, Network Share Discovery, Windows File and Directory Permissions Modification, Internal Defacement, Disk Content Wipe, Windows Command Shell, File and Directory Discovery, System Owner/User Discovery, Inhibit System Recovery, Access Token Manipulation
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: CISA Scattered Spider Advisory November 2023) (Citation: Deply Mimikatz) (Citation: MSTIC Octo Tempest Operations October 2023)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets
S0349	LaZagne	(Citation: GitHub LaZagne Dec 2018) (Citation: GitHub LaZange Dec 2018) (Citation: MSTIC Octo Tempest Operations October 2023)	Credentials In Files, Windows Credential Manager, LSA Secrets, /etc/passwd and /etc/shadow, Credentials from Web Browsers, LSASS Memory, Cached Domain Credentials, Credentials from Password Stores, Keychain, Proc Filesystem
S0670	WarzoneRAT	(Citation: Ave Maria) (Citation: Check Point Warzone Feb 2020) (Citation: CISA Scattered Spider Advisory November 2023) (Citation: Uptycs Warzone UAC Bypass November 2020)	Process Discovery, Keylogging, Registry Run Keys / Startup Folder, Malicious File, Exfiltration Over C2 Channel, Credentials from Web Browsers, Bypass User Account Control, Data from Local System, Ingress Tool Transfer, System Information Discovery, Proxy, Symmetric Cryptography, Remote Desktop Protocol, Modify Registry, Disable or Modify Tools, Component Object Model Hijacking, Hide Artifacts, Spearphishing Attachment, Deobfuscate/Decode Files or Information, PowerShell, Native API, Video Capture, Hidden Window, Process Injection, Windows Command Shell, VNC, Template Injection, Non-Application Layer Protocol, File and Directory Discovery, Rootkit

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Scattered Spider

Associated Group Descriptions

Techniques Used

Software

References