| enterprise |
T1087 |
Account Discovery |
- |
| enterprise |
T1087.003 |
Email Account |
During C0027, Scattered Spider accessed Azure AD to identify email addresses. |
| enterprise |
T1087.004 |
Cloud Account |
During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes. |
| enterprise |
T1098 |
Account Manipulation |
- |
| enterprise |
T1098.001 |
Additional Cloud Credentials |
During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA. |
| enterprise |
T1098.003 |
Additional Cloud Roles |
During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges. |
| enterprise |
T1098.005 |
Device Registration |
During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims’ VPN. |
| enterprise |
T1530 |
Data from Cloud Storage |
During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides. |
| enterprise |
T1213 |
Data from Information Repositories |
- |
| enterprise |
T1213.002 |
Sharepoint |
During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides. |
| enterprise |
T1190 |
Exploit Public-Facing Application |
During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access. |
| enterprise |
T1133 |
External Remote Services |
During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments. |
| enterprise |
T1589 |
Gather Victim Identity Information |
- |
| enterprise |
T1589.001 |
Credentials |
During C0027, Scattered Spider sent phishing messages via SMS to steal credentials. |
| enterprise |
T1656 |
Impersonation |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools. |
| enterprise |
T1105 |
Ingress Tool Transfer |
During C0027, Scattered Spider downloaded tools using victim organization systems. |
| enterprise |
T1578 |
Modify Cloud Compute Infrastructure |
- |
| enterprise |
T1578.002 |
Create Cloud Instance |
During C0027, Scattered Spider used access to the victim’s Azure tenant to create Azure VMs. |
| enterprise |
T1621 |
Multi-Factor Authentication Request Generation |
During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge. |
| enterprise |
T1046 |
Network Service Discovery |
During C0027, used RustScan to scan for open ports on targeted ESXi appliances. |
| enterprise |
T1588 |
Obtain Capabilities |
- |
| enterprise |
T1588.002 |
Tool |
During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner. |
| enterprise |
T1003 |
OS Credential Dumping |
- |
| enterprise |
T1003.006 |
DCSync |
During C0027, Scattered Spider performed domain replication. |
| enterprise |
T1069 |
Permission Groups Discovery |
- |
| enterprise |
T1069.003 |
Cloud Groups |
During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes. |
| enterprise |
T1566 |
Phishing |
- |
| enterprise |
T1566.004 |
Spearphishing Voice |
During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system. |
| enterprise |
T1598 |
Phishing for Information |
- |
| enterprise |
T1598.001 |
Spearphishing Service |
During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials. |
| enterprise |
T1598.004 |
Spearphishing Voice |
During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites. |
| enterprise |
T1572 |
Protocol Tunneling |
During C0027, Scattered Spider used SSH tunneling in targeted environments. |
| enterprise |
T1090 |
Proxy |
During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance. |
| enterprise |
T1219 |
Remote Access Tools |
- |
| enterprise |
T1219.002 |
Remote Desktop Software |
During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools. |
| enterprise |
T1021 |
Remote Services |
- |
| enterprise |
T1021.007 |
Cloud Services |
During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems. |
| enterprise |
T1078 |
Valid Accounts |
- |
| enterprise |
T1078.004 |
Cloud Accounts |
During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants. |
| enterprise |
T1102 |
Web Service |
During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee. |
| enterprise |
T1047 |
Windows Management Instrumentation |
During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket. |