{ "id": "d94c8bba-7c9e-4814-b638-24d195b9d48b", "created_at": "2026-04-06T00:21:42.068462Z", "updated_at": "2026-04-10T03:31:49.899699Z", "deleted_at": null, "sha1_hash": "3d7dddc74fbd9ce1ecd8632df33a8c2574b8a8a8", "title": "Response to CISA Advisory (AA23-320A): Scattered Spider", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 69055, "plain_text": "Response to CISA Advisory (AA23-320A): Scattered Spider\r\nBy Francis Guibernau\r\nPublished: 2023-11-21 · Archived: 2026-04-02 12:07:56 UTC\r\nOn November 16, 2023, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure\r\nSecurity Agency (CISA) released a joint Cybersecurity Advisory (CSA) detailing the identification of Indicators\r\nof Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), and detection methods associated with\r\nScattered Spider identified through FBI investigations as recent as November 2023.\r\nScattered Spider is an eCrime adversary that has been active since at least May 2022, known for conducting social\r\nengineering campaigns against Business-Process Outsourcing (BPO) organizations, as well as the\r\nTelecommunications and Technology sectors.\r\nThe adversary employs phishing websites, SMS phishing, and social engineering attacks to gather authentication\r\ncredentials such as One-Time-Password (OTP) codes. To bypass Multi-Factor Authentication (MFA), Scattered\r\nSpider overwhelms targets by using MFA notification fatigue or resorts to SIM swapping attacks.\r\nOnce access has been achieved, Scattered Spider opts to use legitimate Remote Management tools instead of\r\ncustom malware to ensure persistent access. Since April 2023, the adversary has been leading extortion campaigns\r\nduring which they use BlackCat/ALPHV Ransomware-as-a-Service (RaaS) to encrypt the victim’s data and\r\ndemand the payment of a ransom to prevent the captured data from being resold or published.\r\nAttackIQ has released a new assessment template that emulates the observed capabilities of Scattered Spider\r\nduring a series of activities recorded as recently as November 2023 with the goal of helping customers validate\r\ntheir security controls and their ability to defend against this sophisticated threat.\r\nValidating your security program performance against these behaviors is vital to reducing risk. By using this new\r\nassessment template in the AttackIQ Security Optimization Platform, security teams will be able to:\r\nEvaluate security control performance against a threat known for targeting commercial facilities sectors\r\nworldwide.\r\nAssess their security posture against activities primarily focused on encryption and exfiltration of\r\nproprietary information.\r\nContinuously validate detection and prevention pipelines against behaviors similar to that of many other\r\nadversaries focused on ransomware activities.\r\n[CISA AA23-320A] Scattered Spider\r\nThis assessment template emulates the different Tactics, Techniques and Procedures (TTPs) employed by\r\nScattered Spider within a Microsoft Windows environment. A combination of behaviors and malware samples are\r\nutilized to perform the exact same behaviors that the adversary has exhibited.\r\nhttps://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/\r\nPage 1 of 4\n\nThe template is divided by Tactics, and these group the Techniques and Implementations used by Scattered Spider\r\nat each stage of their attacks.\r\n1. Execution: Consists of techniques that result in adversary-controlled code running on a local or remote\r\nsystem. Techniques that run malicious code are often paired with techniques from all other tactics to\r\nachieve broader goals, such as exploring a network or stealing data.\r\nNative API (T1106): Provides a controlled means of calling low-level OS services within the kernel, such\r\nas listing processes.\r\n2. Persistence: Techniques that adversaries use to keep access to systems across restarts, changed credentials,\r\nand other interruptions that could cut off their access.\r\nScheduled Task/Job: Scheduled Task (T1053.005): This scenario creates a new scheduled task using the\r\nschtasks utility.\r\n3. Defense Evasion: Techniques adversaries use to avoid detection throughout their compromise.\r\nAccess Token Manipulation (T1134): This scenario lists active access tokens that could be impersonated\r\nby another process. This method is commonly used to escalate privileges.\r\nSubvert Trust Controls: Code Signing (T1553.002): This scenario executes a self-signed binary in order\r\nto bypass security policies that require signed code to execute on a system.\r\nImpair Defenses: Disable or Modify System Firewall (T1562.004): This scenario temporarily disables\r\nthe Windows Firewall using the netsh advfirewall utility. By disabling the Firewall, the adversary can\r\nopen up previously blocked incoming or outgoing network connections that could  allow for remote access.\r\nImpair Defenses: Disable or Modify System Firewall (T1562.004): This scenario temporarily disables\r\nthe Windows Firewall by modifying the   EnableFirewall registry key to 0 for the DomainProfile ,\r\nStandardProfile and PublicProfile keys within\r\nHKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\ and\r\nHKLM\\SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\\r\n4. Credential Access: Consists of techniques for stealing credentials like account names and passwords.\r\nOS Credential Dumping: LSASS Memory (T1003.001): LSASS memory is dumped to disk by creating\r\na minidump of the lsass.exe process. This process is used for enforcing security policy on the system\r\nand contains many privileged tokens and accounts that are targeted by threat actors. Mimikatz is then\r\nused to dump the credentials from that minidump file.\r\n5. Discovery: The adversary may use these techniques to gain knowledge about the initially infected system\r\nand internal network. These techniques help adversaries observe the environment and orient themselves\r\nbefore deciding how to act.\r\nFile and Directory Discovery (T1083): A batch script is executed that lists all files and directories in\r\n%ProgramFiles% and the %systemdrive%\\Users directory.\r\nhttps://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/\r\nPage 2 of 4\n\nAccount Discovery: Domain Account (T1087.002): The system command net group is used to list\r\nDomain and Enterprise Admins accounts.\r\nRemote System Discovery (T1018): This scenario executes the net view command to gather additional\r\nhosts available to the infected asset.\r\nRemote System Discovery (T1018): This scenario executes the nltest command to gather a list of\r\ndomain controllers associated with a domain.\r\nSystem Owner/User Discovery (T1033): The native whoami command is called to receive details of the\r\nrunning user account.\r\n6. Lateral Movement: Consists of the techniques adversaries use to enter and control remote systems on a\r\nnetwork. Following through on their primary objective often requires exploring the network to find their\r\ntarget and subsequently gaining access to it.\r\nRemote Services: Remote Desktop Protocol (T1021.001): Remote Desktop is the built-in remote access\r\nutility used by Windows. This scenario attempts to remotely connect to another accessible asset with stolen\r\ncredentials.\r\n7. Collection: The adversary may use these techniques to gather information and the sources information is\r\ncollected from that are relevant to following through on the adversary’s objectives.\r\nClipboard Data (T1115): This scenario will use the native PowerShell Get-Clipboard cmdlet to retrieve\r\ndata stored in the clipboard.\r\n8. Command and Control: Techniques that adversaries may use to communicate with systems under their\r\ncontrol within a victim network.\r\nIngress Tool Transfer (T1105): This scenario downloads to memory and saves to disk in independent\r\nscenarios to test network and endpoint controls and their ability to prevent the delivery of known malicious\r\nBlackCat/ALPHV ransomware samples.\r\n9. Impact: Techniques that adversaries use to disrupt availability or compromise integrity by manipulating\r\nbusiness and operational processes.\r\nData Encrypted for Impact (T1486): AttackIQ has replicated the functionality used by the\r\nBlackCat/ALPHV ransomware to encrypt files on the targeted hosts. This includes the common file\r\nextensions and encryption methods utilized by the actor.\r\nDetection and Mitigation Opportunities\r\nGiven the number of different techniques being utilized by this threat, it can be difficult to know which to\r\nprioritize for prevention and detection opportunities. AttackIQ recommends first focusing on the following\r\ntechniques emulated in our scenarios before moving on to the remaining techniques.\r\n1. Review CISA’s Patching and Detection Recommendations:\r\nhttps://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/\r\nPage 3 of 4\n\nCISA has provided a significant number of recommendations for the best ways to defend yourself from these and\r\nsimilar attacks. AttackIQ strongly recommends reviewing the detection and mitigation recommendations with the\r\ngoal of adapting them to your environment first to determine if you have any existing impact before reviewing the\r\nassessment results.\r\n2. Scheduled Task/Job: Scheduled Task (T1053.005)\r\nAdversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution\r\nof malicious code. There are multiple ways to access the Task Scheduler in Windows. The schtasks utility can be\r\nrun directly from the command line, or the Task Scheduler can be opened through the GUI within the\r\nAdministrator Tools section of the Control Panel.\r\n2a. Detection\r\nWith an EDR or SIEM Platform, you can detect the following commands being issued to schedule a malicious\r\ntask\r\nProcess Name = (“cmd.exe” OR “Powershell.exe”)\r\nCommand Line CONTAINS (“schtasks” AND “/CREATE” AND (“cmd” OR “powershell”)\r\n2b. Mitigation\r\nMITRE ATT\u0026CK has the following mitigation recommendations for Scheduled Task\r\nM1047 – Audit\r\nM1028 – Operating System Configuration\r\nM1026 – Privileged Account Management\r\nM1018 – User Account Management\r\nWrap-up\r\nIn summary, this assessment template will evaluate security and incident response processes and support the\r\nimprovement of your security control posture against the activities carried out by Scattered Spider. With data\r\ngenerated from continuous testing and use of this assessment template, you can focus your teams on achieving key\r\nsecurity outcomes, adjust your security controls, and work to elevate your total security program effectiveness\r\nagainst a known and dangerous threat.\r\nAttackIQ offers a comprehensive Breach and Attack Simulation Platform to assist security teams. This includes\r\nAttackIQ Flex, a tailored pay-as-you-go service; AttackIQ Ready!, a fully managed service for continuous\r\nsecurity optimization; and AttackIQ Enterprise, a co-managed service offering enhanced support. These services\r\nensure your team maintains a robust security posture.\r\nSource: https://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/\r\nhttps://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://www.attackiq.com/2023/11/21/attack-graph-response-to-cisa-advisory-aa23-320a/" ], "report_names": [ "attack-graph-response-to-cisa-advisory-aa23-320a" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434902, "ts_updated_at": 1775791909, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3d7dddc74fbd9ce1ecd8632df33a8c2574b8a8a8.pdf", "text": "https://archive.orkl.eu/3d7dddc74fbd9ce1ecd8632df33a8c2574b8a8a8.txt", "img": "https://archive.orkl.eu/3d7dddc74fbd9ce1ecd8632df33a8c2574b8a8a8.jpg" } }