Emulating and Detecting Scattered Spider-like Attacks

This blog post demonstrates an emulated Scattered Spider-like campaign against a fictitious FinTech's AWS environment using Mitigant Cloud Attack Emulation and Sekoia's SOC/XDR products. It walks through the attack stages (initial access via phishing, enabling EC2 serial console, IAM backdoors and access key creation, password policy degradation, VPC/subnet deletion, Lambda credential compromise, and malicious S3 replication for exfiltration), maps them to MITRE ATT&CK techniques, describes detections and noisy events, and provides lessons learned for adopting a Threat-Informed Defense strategy in cloud environments.