Escaping the Scattered Spider’s web: 6 takeaways from our deep dive

Scattered Spider isn’t your average cybercrime crew. They’re faster, more cunning, and dangerously good at finding that sweet spot between human manipulation and technical precision. 

In our latest webinar, Dissecting Scattered Spider, HTB’s Director of Defensive Content Engineering Andi Morris broke down how this group has turned simple social engineering into a gateway for high-impact ransomware operations, and what blue teamers out there can do about it.

WATCH RECORDING NOW

If you missed the live session, don’t worry. We’ve got the recording ready to rock, and we’ve got you covered with a bite-sized breakdown of the 6 biggest takeaways from the discussion before you dive into the full recording.

1. They’ve broken in before you even know it

Scattered Spider’s playbook starts with social engineering—convincing help desk staff to reset passwords or hand over MFA tokens. From there, they move laterally through Active Directory, stealing the NTDS.dit file to crack password hashes and escalate privileges. 

Once they’re in deep enough, they deploy legitimate remote access tools like TeamViewer or AnyDesk to maintain persistence under the radar.

2. It’s less about the tools, more about mindset

The webinar highlights that incident response maturity is what separates total compromise from rapid containment. 

During recent UK retail breaches attributed to Scattered Spider, some organizations were able to spot intrusion patterns early, contain the attack, and prevent encryption altogether. That comes down to teams who understand how attackers actually operate, not just how their tools are configured.

3. Supply and demand: now in cybercrime form

Scattered Spider didn’t build every part of their campaign themselves. They partnered with ransomware-as-a-service (RaaS) operators like DragonForce, showing how the criminal ecosystem has become as modular as legitimate tech. 

Initial access brokers, malware developers, and ransomware operators now function like a grimly efficient supply chain.

4. The crown jewel everyone’s coming for

The NTDS.dit database—the Active Directory’s crown jewel—contains every user credential, including password hashes and the KRBTGT account that underpins all authentication. 

With that in hand, attackers can perform Golden Ticket attacks, impersonating any user even after passwords are reset. Understanding how to protect and monitor this file is critical for any blue team.

5. Detection is learned by doing

One of the webinar’s strongest points: defenders who’ve practiced offensive techniques detect attacks faster. Andi demonstrated how Hack The Box’s Sherlock challenges—like Crown Jewel One—let you analyze forensic artifacts from real-world breaches. 

Using tools like Chainsaw and JQ in a simulated environment builds practical intuition you just can’t get from theory.

6. Real readiness isn’t built in theory

Scattered Spider thrives where defenders rely on automation and alerts without context. The solution? Hands-on investigation experience. Knowing what NTDS extraction looks like in logs or how privilege escalation appears in event data helps teams act decisively under pressure. 

Get your 90-day Scattered Spider recovery plan

In short, it’s not about getting the answer—it’s about understanding how you got there.

Don’t just read about Scattered Spider. Understand them.

Watch the full Dissecting Scattered Spider webinar to see the entire attack chain unfold, step by step. You’ll walk through live investigations, decode the adversary’s logic, and learn how to turn detection theory into muscle memory.

WATCH NOW