{"description": "Enterprise techniques used by Scattered Spider, ATT&CK group G1015 (v3.0)", "name": "Scattered Spider (G1015)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1087", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has identified vSphere administrator accounts.(Citation: Mandiant VMware vSphere JUL 2025)\n", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1087.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has enumerated legitimate domain accounts which are used in the targeted environment.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1087.003", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to identify email addresses.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1087.004", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1098", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has added accounts to the ESX Admins group to grant them full admin rights in vSphere.(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1098.001", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used aws_consoler  to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1098.003", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has assigned user access admin roles in order to gain Tenant Root Group management permissions in Azure.(Citation: MSTIC Octo Tempest Operations October 2023)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used IAM manipulation to gain persistence and to assume or elevate privileges.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1098.005", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) registered devices for MFA to maintain persistence through victims' VPN.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has registered domains to spoof legitimate corporate login portals.(Citation: Check Point Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1217", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) retrieves browser histories via infostealer malware such as Raccoon Stealer.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1580", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) enumerates cloud environments including Amazon Web Services (AWS) S3 buckets to identify server and backup management infrastructure, resource access, databases and storage containers .(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Mandiant UNC3944 May 2025)(Citation: CrowdStrike Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1538", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) abused AWS Systems Manager Inventory to identify targets on the compromised network prior to lateral movement.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used the PowerShell cmdlet Get-ADUser.(Citation: CrowdStrike Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used the command shell to upload and install the Teleport remote access tool to a compromised vCenter Server Appliance.(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1136", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) creates new user identities within the compromised organization.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has run `SYSTEMD_UNIT_PATH=\"/lib/systemd/\nsystem/teleport.service` to establish persistence for the Teleport remote access tool.(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1555", "showSubtechniques": true}, {"techniqueID": "T1555.005", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has searched for credentials in password vaults and Privileged Access Management (PAM) solutions including HashiCorp Vault.(Citation: Mandiant UNC3944 May 2025)(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1486", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used [BlackCat](https://attack.mitre.org/software/S1068) and DragonForce ransomware to encrypt files including on VMWare ESXi servers.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Mandiant VMware vSphere JUL 2025)(Citation: Check Point Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1530", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) enumerates data stored in cloud resources for collection and exfiltration purposes.(Citation: CISA Scattered Spider Advisory November 2023)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1213", "showSubtechniques": true}, {"techniqueID": "T1213.002", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1213.003", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) enumerates data stored within victim code repositories, such as internal GitHub repositories.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1213.005", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) threat actors search the victim\u2019s Slack and Microsoft Teams for conversations about the intrusion and incident response.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) stages data in a centralized database prior to exfiltration.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1006", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has created volume shadow copies of virtual domain controller disks to extract the `NTDS.dit` file.(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1484", "showSubtechniques": true}, {"techniqueID": "T1484.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) adds a federated identity provider to the victim\u2019s SSO tenant and activates automatic account linking.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1114", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) searched the victim\u2019s Microsoft Exchange for emails about the intrusion and incident response.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1114.003", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has redirected emails notifying users of suspicious account activity.(Citation: CrowdStrike Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1585", "showSubtechniques": true}, {"techniqueID": "T1585.001", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has created matching fake social media profiles to support new accounts created in victim environments.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1041", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has exfiltrated data from compromised VMware vCenter servers through an established C2 channel using the Teleport remote access tool.(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1567", "showSubtechniques": true}, {"techniqueID": "T1567.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has exfiltrated victim data to the MEGA file sharing site, SnowFlake, and AWS S3 buckets.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: CrowdStrike Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1190", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has deployed a malicious kernel driver through exploitation of CVE-2015-2291 in the Intel Ethernet diagnostics driver for Windows (iqvw64.sys).(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has leveraged legitimate remote management tools to maintain persistent access.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used Citrix and VPNs to persist in compromised environments.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) Spider enumerates a target organization for files and directories of interest, including source code, user provisioning, MFA device registration, network diagrams, and shared credentials in documents or spreadsheets.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: Mandiant UNC3944 May 2025)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1657", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has deployed ransomware on compromised hosts and threatened to leak stolen data for financial gain.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: Trellix Scattered Spider MO August 2023)(Citation: CrowdStrike Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1589", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used information from previous data breaches to identify employee names to be used in social engineering.(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1589.001", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) sent phishing messages via SMS to steal credentials.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.008", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) creates inbound rules on the compromised email accounts of security personnel to automatically delete emails from vendor security products.(Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has uninstalled and disabled security tools.(Citation: Mandiant UNC3944 May 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1656", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) utilized social engineering to compel IT help desk personnel to reset passwords and MFA tokens.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: MSTIC Octo Tempest Operations October 2023) [Scattered Spider](https://attack.mitre.org/groups/G1015) has also used Microsoft Teams to pose as internal IT support or help desk personnel.(Citation: Mandiant UNC3944 May 2025) \n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.008", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has manually deleted emails notifying users of suspicious account activity.  (Citation: CrowdStrike Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has downloaded the Teleport remote access tool to compromised VMware vCenter Servers.(Citation: Mandiant VMware vSphere JUL 2025)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) downloaded tools using victim organization systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1490", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has stopped the Volume Shadow Copy service on compromised hosts.(Citation: Mandiant UNC3944 May 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1556", "showSubtechniques": true}, {"techniqueID": "T1556.006", "comment": "After compromising user accounts, [Scattered Spider](https://attack.mitre.org/groups/G1015) registers their own MFA tokens.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1556.009", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has added additional trusted locations to Azure AD conditional access policies. (Citation: MSTIC Octo Tempest Operations October 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1578", "showSubtechniques": true}, {"techniqueID": "T1578.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has created Amazon EC2 instances within the victim's environment.(Citation: CISA Scattered Spider Advisory November 2023)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used access to the victim's Azure tenant to create Azure VMs.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1621", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used multifactor authentication (MFA) fatigue by sending repeated MFA authentication requests to targets.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)(Citation: Check Point Scattered Spider JUL 2025)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1046", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), used RustScan to scan for open ports on targeted ESXi appliances.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.001", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has obtained malware to use at multiple stages of operations including information stealers, remote access tools, and ransomware.(Citation: Mandiant UNC3944 May 2025)(Citation: Check Point Scattered Spider JUL 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has obtained tools for use throughout the attack lifecycle to include remote access software, protocol tunneling and proxy tools, exploitation frameworks, and reconnaissance tools.(Citation: Mandiant UNC3944 May 2025)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Check Point Scattered Spider JUL 2025)(Citation: CISA Scattered Spider Advisory November 2023)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1003", "showSubtechniques": true}, {"techniqueID": "T1003.003", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has extracted the `NTDS.dit` file by creating volume shadow copies of virtual domain controller disks.(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1003.006", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) performed domain replication.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1069", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has enumerated the vSphere Admins and ESX Admins groups in targeted environments.(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069.002", "comment": "\n[Scattered Spider](https://attack.mitre.org/groups/G1015) has enumerated Active Directory security groups including through the use of ADExplorer, ADRecon.ps1, and Get-ADUser.(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Mandiant VMware vSphere JUL 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1069.003", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) accessed Azure AD to download bulk lists of group members and their Active Directory attributes.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.004", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1598", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used a combination of credential phishing and social engineering to capture one-time-password (OTP) codes.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.001", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) sent Telegram messages impersonating IT personnel to harvest credentials.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": true}, {"techniqueID": "T1598.003", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used domains mirroring corporate login portals to socially engineer victims into providing credentials.(Citation: Check Point Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1598.004", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used help desk voice-based phishing and also called employees at target organizations and compelled them to navigate to fake login portals using adversary-in-the-middle toolkits.(Citation: MSTIC Octo Tempest Operations October 2023)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Mandiant VMware vSphere JUL 2025)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used phone calls to instruct victims to navigate to credential-harvesting websites.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1572", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has installed protocol-tunneling tools on VMware vCenter and adversary-controlled VMs, including Teleport.sh, Chisel (configured to communicate with trycloudflare[.]com subdomains), MobaXterm, ngrok, Pinggy, and Teleport.(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: CISA Scattered Spider Advisory November 2023)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used SSH tunneling in targeted environments.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used proxy networks to hamper detection and has installed legitimate proxy tools on VMware vCenter and adversary-controlled VMs.(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: CISA Scattered Spider Advisory November 2023)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": false}, {"techniqueID": "T1219", "showSubtechniques": true}, {"techniqueID": "T1219.002", "comment": "In addition to directing victims to run remote software, [Scattered Spider](https://attack.mitre.org/groups/G1015) members themselves also deploy RMM software including TeamViewer, AnyDesk, LogMeIn, [ngrok](https://attack.mitre.org/software/S0508), and [ConnectWise](https://attack.mitre.org/software/S0591) to establish persistence on the compromised network.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: Trellix Scattered Spider MO August 2023)(Citation: Mandiant UNC3944 May 2025)(Citation: CrowdStrike Scattered Spider JUL 2025)(Citation: Check Point Scattered Spider JUL 2025)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) directed victims to run remote monitoring and management (RMM) tools.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.001", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used RDP to enable lateral movement.(Citation: Mandiant UNC3944 May 2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used SSH to move laterally in victim environments and to access the vSphere vCenter Server GUI.(Citation: Mandiant UNC3944 May 2025)(Citation: Mandiant VMware vSphere JUL 2025)\n", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1021.007", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has also leveraged pre-existing AWS EC2 instances for lateral movement and data collection purposes.(Citation: CISA Scattered Spider Advisory November 2023)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1018", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) can enumerate remote systems, such as VMware vCenter infrastructure.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1539", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) retrieves browser cookies via Raccoon Stealer.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1553", "showSubtechniques": true}, {"techniqueID": "T1553.002", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used self-signed and stolen certificates originally issued to NVIDIA and Global Software LLC.(Citation: CrowdStrike Scattered Spider BYOVD January 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has executed scripts to identify the underlying operating system to ensure it uses the correct installation package for malicious payloads.(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used network reconnaissance commands for discovery including `ping` and `nltest`.(Citation: Mandiant UNC3944 May 2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) Spider searches for credential storage documentation on a compromised host.(Citation: CISA Scattered Spider Advisory November 2023)(Citation: Mandiant UNC3944 May 2025)(Citation: CrowdStrike Scattered Spider JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) enumerate and exfiltrate code-signing certificates from a compromised host.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has impersonated organization IT and helpdesk staff to instruct victims to execute commercial remote access tools to gain initial access.(Citation: CISA Scattered Spider Advisory November 2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1078", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used compromised credentials for initial access.(Citation: Mandiant UNC3944 May 2025)(Citation: Mandiant VMware vSphere JUL 2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1078.004", "comment": "[Scattered Spider](https://attack.mitre.org/groups/G1015) has used compromised Microsoft Entra ID accounts to pivot in victim environments.(Citation: CrowdStrike Scattered Spider JUL 2025)\n\nDuring [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) leveraged compromised credentials from victim users  to authenticate to Azure tenants.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff66f4", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) downloaded tools from sites including file.io, GitHub, and paste.ee.(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}, {"techniqueID": "T1047", "comment": "During [C0027](https://attack.mitre.org/campaigns/C0027), [Scattered Spider](https://attack.mitre.org/groups/G1015) used Windows Management Instrumentation (WMI) to move laterally via [Impacket](https://attack.mitre.org/software/S0357).(Citation: Crowdstrike TELCO BPO Campaign December 2022)", "score": 1, "color": "#ff6666", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Scattered Spider", "color": "#66b1ff"}, {"label": "used by a campaign attributed to Scattered Spider", "color": "#ff6666"}, {"label": "used by Scattered Spider and used by a campaign attributed to Scattered Spider", "color": "#ff66f4"}]}