Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

FIN8

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)
ID: G0061
Associated Groups: Syssphinx
Version: 2.0
Created: 18 Apr 2018
Last Modified: 19 Sep 2023

Associated Group Descriptions

Name Description
Syssphinx (Citation: Symantec FIN8 Jul 2023)

Techniques Used

Domain ID Name Use
Enterprise T1134 .001 Access Token Manipulation: Token Impersonation/Theft

FIN8 has used a malicious framework designed to impersonate the lsass.exe/vmtoolsd.exe token.(Citation: Bitdefender FIN8 July 2021)(Citation: Symantec FIN8 Jul 2023)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

FIN8 has used HTTPS for command and control.(Citation: Bitdefender FIN8 July 2021)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

FIN8 has used RAR to compress collected data before exfiltration.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell for lateral movement and credential access.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Symantec FIN8 Jul 2023)

.003 Command and Scripting Interpreter: Windows Command Shell

FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016) FIN8 has also executed commands remotely via `cmd.exe`.(Citation: FireEye Obfuscation June 2017)(Citation: Bitdefender FIN8 July 2021)(Citation: Symantec FIN8 Jul 2023)

Enterprise T1074 .002 Data Staged: Remote Data Staging

FIN8 aggregates staged data from a network into a single location.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1546 .003 Event Triggered Execution: Windows Management Instrumentation Event Subscription

FIN8 has used WMI event subscriptions for persistence.(Citation: Bitdefender FIN8 July 2021)

Enterprise T1048 .003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted Non-C2 Protocol

FIN8 has used FTP to exfiltrate collected data.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

FIN8 has cleared logs during post compromise cleanup activities.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

.004 Indicator Removal: File Deletion

FIN8 has deleted tmp and prefetch files during post compromise cleanup activities. FIN8 has also deleted PowerShell scripts to evade detection on compromised machines.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Symantec FIN8 Jul 2023)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1027 .010 Obfuscated Files or Information: Command Obfuscation

FIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Bitdefender FIN8 July 2021)

Enterprise T1588 .002 Obtain Capabilities: Tool

FIN8 has used open-source tools such as Impacket for targeting efforts.(Citation: Bitdefender Sardonic Aug 2021)

.003 Obtain Capabilities: Code Signing Certificates

FIN8 has used an expired open-source X.509 certificate for testing in the OpenSSL repository, to connect to actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021)

Enterprise T1566 .001 Phishing: Spearphishing Attachment

FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

.002 Phishing: Spearphishing Link

FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1055 .004 Process Injection: Asynchronous Procedure Call

FIN8 has injected malicious code into a new svchost.exe process.(Citation: Bitdefender FIN8 July 2021)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN8 has used RDP for lateral movement.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

.002 Remote Services: SMB/Windows Admin Shares

FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context. FIN8 has also used smbexec from the Impacket suite for lateral movement.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)(Citation: Bitdefender Sardonic Aug 2021)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN8 has used scheduled tasks to maintain RDP backdoors.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1518 .001 Software Discovery: Security Software Discovery

FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

FIN8 has used the Ping command to check connectivity to actor-controlled C2 servers.(Citation: Bitdefender Sardonic Aug 2021)

Enterprise T1204 .001 User Execution: Malicious Link

FIN8 has used emails with malicious links to lure victims into installing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

.002 User Execution: Malicious File

FIN8 has used malicious e-mail attachments to lure victims into executing malware.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: FireEye Know Your Enemy FIN8 Aug 2016)

Software

ID Name References Techniques
S0039 Net (Citation: FireEye Know Your Enemy FIN8 Aug 2016) (Citation: Microsoft Net Utility) (Citation: Savill 1999) Password Policy Discovery, Domain Groups, System Time Discovery, Domain Account, Local Account, System Service Discovery, Remote System Discovery, Network Share Discovery, System Network Connections Discovery, Network Share Connection Removal, Service Execution, Local Account, Additional Local or Domain Groups, Local Groups, SMB/Windows Admin Shares, Domain Account
S1085 Sardonic (Citation: Bitdefender Sardonic Aug 2021) (Citation: Symantec FIN8 Jul 2023) Windows Management Instrumentation, Command Obfuscation, System Information Discovery, System Network Configuration Discovery, Symmetric Cryptography, Windows Management Instrumentation Event Subscription, Ingress Tool Transfer, Network Share Discovery, Deobfuscate/Decode Files or Information, Data from Local System, Windows Command Shell, Non-Standard Port, Process Discovery, System Service Discovery, Native API, Standard Encoding, Indicator Removal, Reflective Code Loading, Asymmetric Cryptography, Obfuscated Files or Information, PowerShell, System Network Connections Discovery, Asynchronous Procedure Call, Non-Application Layer Protocol
S0357 Impacket (Citation: Bitdefender FIN8 July 2021) (Citation: Bitdefender Sardonic Aug 2021) (Citation: Impacket Tools) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, LSA Secrets
S1081 BADHATCH (Citation: BitDefender BADHATCH Mar 2021) (Citation: Gigamon BADHATCH Jul 2019) Network Share Discovery, Reflective Code Loading, PowerShell, Process Injection, Remote System Discovery, Process Discovery, System Information Discovery, Screen Capture, Embedded Payloads, System Time Discovery, Scheduled Task, Command Obfuscation, Web Protocols, System Owner/User Discovery, Proxy, Native API, Dynamic-link Library Injection, Network Service Discovery, Ingress Tool Transfer, Asymmetric Cryptography, Encrypted/Encoded File, Web Service, File Deletion, Windows Management Instrumentation Event Subscription, Domain Groups, Pass the Hash, Domain Trust Discovery, Windows Command Shell, File Transfer Protocols, Windows Management Instrumentation, Bypass User Account Control, Asynchronous Procedure Call, Token Impersonation/Theft, System Network Connections Discovery, Exfiltration Over C2 Channel
S0105 dsquery (Citation: FireEye Know Your Enemy FIN8 Aug 2016) (Citation: TechNet Dsquery) Domain Account, Domain Trust Discovery, Domain Groups, System Information Discovery
S0481 Ragnar Locker (Citation: Cynet Ragnar Apr 2020) (Citation: Sophos Ragnar May 2020) (Citation: Symantec FIN8 Jul 2023) Data Encrypted for Impact, Inhibit System Recovery, Service Execution, Windows Command Shell, Run Virtual Instance, Service Stop, System Location Discovery, Regsvr32, Windows Service, Msiexec, Disable or Modify Tools, Rundll32, Peripheral Device Discovery
S0196 PUNCHBUGGY (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016) (Citation: Morphisec ShellTea June 2019) (Citation: ShellTea) Python, Rundll32, AppCert DLLs, Shared Modules, Local Account, Security Software Discovery, Registry Run Keys / Startup Folder, Match Legitimate Name or Location, Archive via Utility, PowerShell, Ingress Tool Transfer, Local Data Staging, Web Protocols, Deobfuscate/Decode Files or Information, File Deletion, Obfuscated Files or Information, System Information Discovery
S0359 Nltest (Citation: Bitdefender FIN8 July 2021) (Citation: Nltest Manual) Domain Trust Discovery, Remote System Discovery, System Network Configuration Discovery
S0097 Ping (Citation: Bitdefender Sardonic Aug 2021) (Citation: TechNet Ping) Remote System Discovery
S0197 PUNCHTRACK (Citation: FireEye Fin8 May 2016) (Citation: FireEye Know Your Enemy FIN8 Aug 2016) (Citation: PSVC) Data from Local System, Obfuscated Files or Information, Local Data Staging
S0029 PsExec (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) (Citation: Symantec FIN8 Jul 2023) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.