Critical Financially Motivated TLP:CLEAR

Scattered Spider

Threat Hunting Guide • 4-6 hours

Social engineering specialists targeting identity providers. Native English speakers impersonating IT staff for credential resets, MFA fatigue attacks, SIM swapping, and Okta/Entra ID compromise. Affiliated with DragonForce ransomware.

🎯

Hunt Modules

⏱️

Duration

4-6 hrs

⚔️

MITRE Techniques

60+

🌍

Origin

US/UK

💰

RaaS Affiliate

DragonForce

📄

Download Full Hunting Guide

Complete guide with 10 hunt modules, identity provider detection queries, social engineering indicators, and IOCs.

Download PDF - Free

10 Hunt Modules

Help Desk Social Engineering Detection

30 min • Critical

MFA Anomaly Detection (Push Bombing)

30 min • Critical

Identity Provider Compromise Detection

45 min • Critical

Phishing Infrastructure Hunting

30 min • High

RMM Tool Detection

30 min • High

Cloud IAM Anomaly Detection

45 min • Critical

Email Manipulation Detection

30 min • High

Tunneling & Proxy Detection

30 min • High

Credential Dumping & Lateral Movement

30 min • High

Data Exfiltration Hunting

30 min • High

Detection Rules

Copy these queries to detect Scattered Spider activity in your environment.

MFA Fatigue Attack Detection (Okta)

index=okta sourcetype=OktaIM2:log
eventType="user.mfa.okta_verify.deny_push"
| bucket _time span=5m
| stats count by user, _time
| where count > 5

New MFA Device Registration

index=okta sourcetype=OktaIM2:log
eventType="user.mfa.factor.activate"
| stats count by user, displayMessage, client.ipAddress
| lookup known_mfa_devices.csv user OUTPUT expected_device
| where isnull(expected_device)

Unauthorized RMM Tool Installation

index=windows sourcetype=WinEventLog
(ProcessName="*TeamViewer*" OR ProcessName="*AnyDesk*" OR ProcessName="*ScreenConnect*" OR ProcessName="*ngrok*")
| stats count by ComputerName, ProcessName, User
| where NOT match(ComputerName, "IT-*")

MFA Fatigue Attack (Entra ID)

SigninLogs
| where ResultType == 500121  // MFA denied
| summarize DeniedCount=count() by UserPrincipalName, bin(TimeGenerated, 5m)
| where DeniedCount > 5
| project TimeGenerated, UserPrincipalName, DeniedCount

Email Forwarding Rule Creation

OfficeActivity
| where Operation in ("New-InboxRule", "Set-InboxRule", "Set-Mailbox")
| where Parameters has_any ("ForwardTo", "ForwardAsAttachmentTo", "RedirectTo")
| project TimeGenerated, UserId, Operation, Parameters

Ngrok Tunnel Detection

DeviceNetworkEvents
| where RemoteUrl has_any ("ngrok.io", "ngrok.com", "tunnel.us.ngrok.com")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP

Scattered Spider RMM Tool Detection

title: Scattered Spider RMM Tool Deployment
id: INT-SPIDER-001
status: experimental
description: Detects RMM tools commonly used by Scattered Spider
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\TeamViewer.exe'
            - '\AnyDesk.exe'
            - '\ScreenConnect.ClientService.exe'
            - '\ngrok.exe'
            - '\Splashtop*.exe'
    condition: selection
level: high

NTDS.dit Dumping via VSS

title: NTDS.dit Access via Volume Shadow Copy
id: INT-SPIDER-002
status: experimental
description: Detects credential dumping via shadow copies
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        CommandLine|contains|all:
            - 'ntds.dit'
            - 'shadow'
    condition: selection
level: critical

Need More Detection Rules?

The full guide includes 20+ additional detection signatures for identity providers and cloud environments.

Download Full Guide

Disclaimer: These detection rules are provided for defensive security purposes. Always test rules in a non-production environment before deployment. Rules may require tuning for your specific environment. Sources: CISA AA23-320A, Mandiant UNC3944.

Key Attack Techniques

Social Engineering

• Help desk impersonation calls
• SMS phishing (smishing)
• SIM swapping for MFA bypass
• MFA fatigue / push bombing

Identity Provider Targeting

• Okta admin console access
• Entra ID conditional access bypass
• Federated trust manipulation
• New MFA device registration

Persistence & Access

• TeamViewer, AnyDesk, ngrok
• Email forwarding rules
• Slack/Teams monitoring
• Counter-IR surveillance

Notable Victims

• MGM Resorts ($100M impact)
• Caesars ($15M ransom)
• Marks & Spencer (£300M)
• Snowflake customers

← Back to Threat Hunting Guides

🛡️

Detect Identity-Based Attacks

BRACE monitors for Scattered Spider TTPs including MFA anomalies, identity provider compromise, and social engineering indicators.

Learn About BRACE Talk to an Expert