45_C0027.txt

During C0027, Scattered Spider accessed Azure AD to identify email addresses.During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and to identify privileged users, along with the email addresses and AD attributes.During C0027, Scattered Spider used aws_consoler to create temporary federated credentials for fake users in order to obfuscate which AWS credential is compromised and enable pivoting from the AWS CLI to console sessions without MFA.During C0027, Scattered Spider used IAM manipulation to gain persistence and to assume or elevate privileges.During C0027, Scattered Spider registered devices for MFA to maintain persistence through victims' VPN.During C0027, Scattered Spider accessed victim OneDrive environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.During C0027, Scattered Spider accessed victim SharePoint environments to search for VPN and MFA enrollment information, help desk instructions, and new hire guides.During C0027, Scattered Spider exploited CVE-2021-35464 in the ForgeRock Open Access Management (OpenAM) application server to gain initial access.During C0027, Scattered Spider used Citrix and VPNs to persist in compromised environments.During C0027, Scattered Spider sent phishing messages via SMS to steal credentials.During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls and text messages either to direct victims to a credential harvesting site or getting victims to run commercial remote monitoring and management (RMM) tools.During C0027, Scattered Spider downloaded tools using victim organization systems.During C0027, Scattered Spider used access to the victim's Azure tenant to create Azure VMs.During C0027, Scattered Spider attempted to gain access by continuously sending MFA messages to the victim until they accept the MFA push challenge.During C0027, used RustScan to scan for open ports on targeted ESXi appliances.During C0027, Scattered Spider obtained and used multiple tools including the LINpeas privilege escalation utility, aws_consoler, rsocx reverse proxy, Level RMM tool, and RustScan port scanner.During C0027, Scattered Spider performed domain replication.During C0027, Scattered Spider accessed Azure AD to download bulk lists of group members and their Active Directory attributes.During C0027, Scattered Spider impersonated legitimate IT personnel in phone calls to direct victims to download a remote monitoring and management (RMM) tool that would allow the adversary to remotely control their system.During C0027, Scattered Spider sent Telegram messages impersonating IT personnel to harvest credentials.During C0027, Scattered Spider used phone calls to instruct victims to navigate to credential-harvesting websites.During C0027, Scattered Spider used SSH tunneling in targeted environments.During C0027, Scattered Spider installed the open-source rsocx reverse proxy tool on a targeted ESXi appliance.During C0027, Scattered Spider directed victims to run remote monitoring and management (RMM) tools.During C0027, Scattered Spider used compromised Azure credentials for credential theft activity and lateral movement to on-premises systems.During C0027, Scattered Spider leveraged compromised credentials from victim users to authenticate to Azure tenants.During C0027, Scattered Spider downloaded tools from sites including file.io, GitHub, and paste.ee.During C0027, Scattered Spider used Windows Management Instrumentation (WMI) to move laterally via Impacket.