Threat Actor Unknown origin
Scattered Spider
Also known as: UNC3944 · Muddled Libra · Oktapus · Scattered Swine · Scatter Swine · Octo Tempest · 0ktapus · Storm-0971 · DEV-0971 · Starfraud
IoCs CSV
1 detection rule
Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.
Detection Rules
Scattered_Spider_SIGMA_Detection
sigma ai_generated
title: Scattered Spider - Identity-Based Lateral Movement and Privilege Escalation
id: 3a13e8f4-5e43-4f3d-9a2a-1b9c7d8f0e2a
status: experimental
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- 'net user /domain'
- 'net group "domain admins"'
- 'net group "enterprise admins"'
- 'net localgroup administrators'
- 'dsquery'
- 'dsmember'
- 'whoami /priv'
- 'klist'
- 'kerberos'
- 'pth'
- 'pass the hash'
- 'runas /user'
ParentImage|endswith: '\net.exe'
selection_condition: 1 of selection
condition: selection
falsepositives:
- Legitimate administrative activity using domain enumeration or credential passing tools
level: critical ⚠ Rules are AI-generated and unvalidated. Test in a safe environment before production use.