Scattered Spider Ashes: The Great Haagscape

[MHaggis]

New Analytic Story

• Scattered Spider

Tagged Security Content

Deprecated Detections:

detections/deprecated/any_powershell_downloadstring.yml

Endpoint Detections:

detections/endpoint/attacker_tools_on_endpoint.yml
detections/endpoint/bitsadmin_download_file.yml
detections/endpoint/clear_unallocated_sector_using_cipher_app.yml
detections/endpoint/detect_mimikatz_with_powershell_script_block_logging.yml
detections/endpoint/detect_remote_access_software_usage_file.yml
detections/endpoint/detect_remote_access_software_usage_fileinfo.yml
detections/endpoint/detect_remote_access_software_usage_process.yml
detections/endpoint/detect_remote_access_software_usage_registry.yml
detections/endpoint/exchange_powershell_module_usage.yml
detections/endpoint/malicious_powershell_process___encoded_command.yml
detections/endpoint/powershell_4104_hunting.yml
detections/endpoint/recon_using_wmi_class.yml
detections/endpoint/sc_exe_manipulating_windows_services.yml
detections/endpoint/scheduled_task_deleted_or_created_via_cmd.yml
detections/endpoint/script_execution_via_wmi.yml
detections/endpoint/sdelete_application_execution.yml
detections/endpoint/suspicious_scheduled_task_from_public_directory.yml
detections/endpoint/suspicious_wevtutil_usage.yml
detections/endpoint/windows_credential_access_from_browser_password_store.yml
detections/endpoint/windows_mimikatz_binary_execution.yml
detections/endpoint/windows_msexchange_management_mailbox_cmdlet_usage.yml
detections/endpoint/windows_password_managers_discovery.yml
detections/endpoint/windows_powershell_scheduletask.yml

Network Detections:

detections/network/cisco_secure_firewall___remote_access_software_usage_traffic.yml
detections/network/detect_remote_access_software_usage_dns.yml
detections/network/detect_remote_access_software_usage_traffic.yml

[patel-bhavin]