/
FIN7_G0046.json
1 lines (1 loc) · 5.33 KB
/
FIN7_G0046.json
1
{"description": "Enterprise techniques used by FIN7, ATT&CK group G0046 v1.0", "name": "FIN7 (G0046)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1497", "techniqueName": "Virtualization/Sandbox Evasion", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes."}, {"score": 1, "techniqueID": "T1023", "techniqueName": "Shortcut Modification", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) created several .LNK files on the victim's machine."}, {"score": 1, "techniqueID": "T1059", "techniqueName": "Command-Line Interface", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) used cmd.exe to launch commands on the victim\u2019s machine."}, {"score": 1, "techniqueID": "T1102", "techniqueName": "Web Service", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) used legitimate services like Google Docs, Google Scripts, and Pastebin for C2."}, {"score": 1, "techniqueID": "T1050", "techniqueName": "New Service", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) created new Windows services and added them to the startup directories for persistence."}, {"score": 1, "techniqueID": "T1125", "techniqueName": "Video Capture", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) created a custom video recording capability that could be used to monitor operations in the victim's environment."}, {"score": 1, "techniqueID": "T1116", "techniqueName": "Code Signing", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has signed [Carbanak](https://attack.mitre.org/software/S0030) payloads with legally purchased code signing certificates. [FIN7](https://attack.mitre.org/groups/G0046) has also digitally signed their phishing documents, backdoors and other staging tools to bypass security controls."}, {"score": 1, "techniqueID": "T1043", "techniqueName": "Commonly Used Port", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has used ports 53, 80, 443, and 8080 for C2."}, {"score": 1, "techniqueID": "T1071", "techniqueName": "Standard Application Layer Protocol", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has performed C2 using DNS via A, OPT, and TXT records."}, {"score": 1, "techniqueID": "T1204", "techniqueName": "User Execution", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file."}, {"score": 1, "techniqueID": "T1113", "techniqueName": "Screen Capture", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) captured screenshots and desktop video recordings."}, {"score": 1, "techniqueID": "T1064", "techniqueName": "Scripting", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) used SQL, VBS and JavaScript scripts to help perform tasks on the victim's machine."}, {"score": 1, "techniqueID": "T1193", "techniqueName": "Spearphishing Attachment", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) sent spearphishing emails with either malicious Microsoft Documents or RTF files attached."}, {"score": 1, "techniqueID": "T1027", "techniqueName": "Obfuscated Files or Information", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands."}, {"score": 1, "techniqueID": "T1173", "techniqueName": "Dynamic Data Exchange", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) spear phishing campaigns have included malicious Word documents with DDE execution."}, {"score": 1, "techniqueID": "T1170", "techniqueName": "Mshta", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has used mshta.exe to execute VBScript to execute malicious code on victim systems."}, {"score": 1, "techniqueID": "T1138", "techniqueName": "Application Shimming", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has used application shim databases for persistence."}, {"score": 1, "techniqueID": "T1086", "techniqueName": "PowerShell", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) uses a PowerShell script to launch shellcode that retrieves an additional payload."}, {"score": 1, "techniqueID": "T1036", "techniqueName": "Masquerading", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has created a scheduled task named \u201cAdobeFlashSync\u201d to establish persistence."}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Remote File Copy", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) has downloaded additional malware to execute on the victim's machine, including by using a PowerShell script to launch shellcode that retrieves an additional payload."}, {"score": 1, "techniqueID": "T1053", "techniqueName": "Scheduled Task", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) malware has created scheduled tasks to establish persistence."}, {"score": 1, "techniqueID": "T1060", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[FIN7](https://attack.mitre.org/groups/G0046) malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FIN7", "color": "#ff6666"}]}