Scattered Spider: Identity-First Attack Chain

After gaining access to corp-srv-ad01 via services.exe, the attacker executed a known Impacket tool to extract the NTDS.dit database. Examine the XDR Timeline around 2024-05-09T23:45:06.235Z to find the script responsible for this activity.

An alert triggered at 2024-05-09T03:41:58.606Z indicating a suspicious process execution involving kdmapper.exe on corp-wks-9901. Analyze the process execution logs in the SIEM to find the hash of the binary that was executed to bypass driver signature enforcement.

At 2024-05-08T02:31:05Z, a suspicious process was executed by the user claudia.vance that appears to interact with system memory. You must investigate the command line arguments and the resulting file activity to identify the driver being manually mapped into the kernel.

A high-severity alert was triggered when a user account, claudia.vance, executed a process that attempted to bypass local security controls. Analysts must review the event descriptions within the XDR Timeline to determine which interpreter was invoked to facilitate this activity.

An alert triggered for potential driver manual mapping on corp-wks-9901. Review the process tree for services.exe to find the malicious binary executed by the SYSTEM account that attempted to bypass security controls.

The adversary successfully executed kdmapper.exe on the corp-wks-9901 workstation to bypass driver signature enforcement. You must determine the exact name of the malicious driver file that was dropped and executed during this sequence to establish the extent of kernel-level compromise.

During a deep-dive timeline reconstruction, we observed an unusual driver mapper execution occurring at 2024-05-31T01:59:56.871Z. You need to examine the SIEM records for this event to determine which telemetry provider reported this activity to the central repository.

An alert was triggered for corp-wks-8821 involving kdmapper.exe, which is often used for manual driver loading. Evidence suggests the process initiated a network connection at 2024-05-01T09:12:33Z; investigate the message logs to determine the target domain.

After the execution of a suspicious binary on corp-wks-9901 around 2024-05-08T02:30:15Z, the system initiated an outbound connection to an unauthorized external gateway. Analyze the endpoint activity to determine the destination address being used to exfiltrate data.

An alert triggered for suspicious driver loading via kdmapper.exe, but we need to trace the execution chain back to the start. Analyze the SIEM event messages for host corp-wks-8821 to find which productivity application was used to launch the initial stage of the attack.