/
FIN6_G0037.json
1 lines (1 loc) · 6.79 KB
/
FIN6_G0037.json
1
{"description": "Enterprise techniques used by FIN6, ATT&CK group G0037 v1.0", "name": "FIN6 (G0037)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1194", "techniqueName": "Spearphishing via Service", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used fake job advertisements sent via LinkedIn to spearphish targets."}, {"score": 1, "techniqueID": "T1047", "techniqueName": "Windows Management Instrumentation", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used WMI to automate the remote execution of PowerShell scripts.\t"}, {"score": 1, "techniqueID": "T1116", "techniqueName": "Code Signing", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used Comodo code-signing certificates.\t"}, {"score": 1, "techniqueID": "T1035", "techniqueName": "Service Execution", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has created Windows services to execute encoded PowerShell commands."}, {"score": 1, "techniqueID": "T1069", "techniqueName": "Permission Groups Discovery", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used tools like Adfind to query users, groups, organizational units, and trusts.\t\n"}, {"score": 1, "techniqueID": "T1102", "techniqueName": "Web Service", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used Pastebin to host content for the operation.\t\n"}, {"score": 1, "techniqueID": "T1036", "techniqueName": "Masquerading", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has renamed the \"psexec\" service name to \"mstdc\" to masquerade as a legitimate Windows executable.\t"}, {"score": 1, "techniqueID": "T1076", "techniqueName": "Remote Desktop Protocol", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) used RDP to move laterally in victim networks."}, {"score": 1, "techniqueID": "T1119", "techniqueName": "Automated Collection", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used a script to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files."}, {"score": 1, "techniqueID": "T1022", "techniqueName": "Data Encrypted", "comment": "TRINITY malware used by [FIN6](https://attack.mitre.org/groups/G0037) encodes data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key."}, {"score": 1, "techniqueID": "T1002", "techniqueName": "Data Compressed", "comment": "Following data collection, [FIN6](https://attack.mitre.org/groups/G0037) has compressed log files into a ZIP archive prior to staging and exfiltration."}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "To move laterally on a victim network, [FIN6](https://attack.mitre.org/groups/G0037) has used credentials stolen from various systems on which it gathered usernames and password hashes."}, {"score": 1, "techniqueID": "T1074", "techniqueName": "Data Staged", "comment": "TRINITY malware used by [FIN6](https://attack.mitre.org/groups/G0037) identifies payment card track data on the victim and then copies it to a local file in a subdirectory of <code>C:\\Windows\\</code>. Once the malware collects the data, [FIN6](https://attack.mitre.org/groups/G0037) actors compressed data and moved it to another staging system before exfiltration."}, {"score": 1, "techniqueID": "T1071", "techniqueName": "Standard Application Layer Protocol", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) used the Plink command-line utility to create SSH tunnels to C2 servers."}, {"score": 1, "techniqueID": "T1032", "techniqueName": "Standard Cryptographic Protocol", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) used the Plink command-line utility to create SSH tunnels to C2 servers."}, {"score": 1, "techniqueID": "T1053", "techniqueName": "Scheduled Task", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and PoS malware known as TRINITY."}, {"score": 1, "techniqueID": "T1068", "techniqueName": "Exploitation for Privilege Escalation", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used tools to exploit Windows vulnerabilities in order to escalate privileges. The tools targeted CVE-2013-3660, CVE-2011-2005, and CVE-2010-4398, all of which could allow local users to access kernel-level privileges."}, {"score": 1, "techniqueID": "T1064", "techniqueName": "Scripting", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener. [FIN6](https://attack.mitre.org/groups/G0037) has also used scripting to iterate through a list of compromised PoS systems, copy data to a log file, and remove the original data files."}, {"score": 1, "techniqueID": "T1087", "techniqueName": "Account Discovery", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used Metasploit\u2019s [PsExec](https://attack.mitre.org/software/S0029) NTDSGRAB module to obtain a copy of the victim's Active Directory database."}, {"score": 1, "techniqueID": "T1018", "techniqueName": "Remote System Discovery", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS."}, {"score": 1, "techniqueID": "T1086", "techniqueName": "PowerShell", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used a Metasploit PowerShell module to download and execute shellcode and to set up a local listener."}, {"score": 1, "techniqueID": "T1046", "techniqueName": "Network Service Scanning", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) used publicly available tools (including Microsoft's built-in SQL querying tool, osql.exe) to map the internal network and conduct reconnaissance against Active Directory, Structured Query Language (SQL) servers, and NetBIOS."}, {"score": 1, "techniqueID": "T1003", "techniqueName": "Credential Dumping", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used [Windows Credential Editor](https://attack.mitre.org/software/S0005) for credential dumping, as well as Metasploit\u2019s [PsExec](https://attack.mitre.org/software/S0029) NTDSGRAB module to obtain a copy of the victim's Active Directory database.\t\n"}, {"score": 1, "techniqueID": "T1060", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[FIN6](https://attack.mitre.org/groups/G0037) has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FIN6", "color": "#ff6666"}]}