Threat Actor Unknown origin

Scattered Spider

Also known as: UNC3944 · Muddled Libra · Oktapus · Scattered Swine · Scatter Swine · Octo Tempest · 0ktapus · Storm-0971 · DEV-0971 · Starfraud

IoCs CSV 1 detection rule

Scattered Spider, a highly active hacking group, has made headlines by targeting more than 130 organizations, with the number of victims steadily increasing.

Detection Rules

Scattered_Spider_SIGMA_Detection
sigma ai_generated
title: Scattered Spider - Identity-Based Lateral Movement and Privilege Escalation
id: 3a13e8f4-5e43-4f3d-9a2a-1b9c7d8f0e2a
status: experimental
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains:
            - 'net user /domain'
            - 'net group "domain admins"'
            - 'net group "enterprise admins"'
            - 'net localgroup administrators'
            - 'dsquery'
            - 'dsmember'
            - 'whoami /priv'
            - 'klist'
            - 'kerberos'
            - 'pth'
            - 'pass the hash'
            - 'runas /user'
        ParentImage|endswith: '\net.exe'
    selection_condition: 1 of selection
    condition: selection
falsepositives:
    - Legitimate administrative activity using domain enumeration or credential passing tools
level: critical

Rules are AI-generated and unvalidated. Test in a safe environment before production use.

Source Articles