Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

FIN13

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
ID: G1016
Associated Groups: Elephant Beetle
Version: 1.0
Created: 27 Jul 2023
Last Modified: 29 Sep 2023

Associated Group Descriptions

Name Description
Elephant Beetle (Citation: Sygnia Elephant Beetle Jan 2022)

Techniques Used

Domain ID Name Use
Enterprise T1134 .003 Access Token Manipulation: Make and Impersonate Token

FIN13 has utilized tools such as Incognito V2 for token manipulation and impersonation.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1087 .002 Account Discovery: Domain Account

FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts: `GetUserSPNs.vbs` and `querySpn.vbs`.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1098 .007 Account Manipulation: Additional Local or Domain Groups

FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1071 .001 Application Layer Protocol: Web Protocols

FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1560 .001 Archive Collected Data: Archive via Utility

FIN13 has compressed the dump output of compromised credentials with a 7zip binary.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN13 has used Windows Registry run keys such as, `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts` to maintain persistence.(Citation: Mandiant FIN13 Aug 2022)

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN13 has used PowerShell commands to obtain DNS data from a compromised network.(Citation: Mandiant FIN13 Aug 2022)

.003 Command and Scripting Interpreter: Windows Command Shell

FIN13 has leveraged `xp_cmdshell` and Windows Command Shell to execute commands on a compromised machine. FIN13 has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remote commands on internal MS-SQL servers.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

.005 Command and Scripting Interpreter: Visual Basic

FIN13 has used VBS scripts for code execution on comrpomised machines.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1136 .001 Create Account: Local Account

FIN13 has created MS-SQL local accounts in a compromised network.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1074 .001 Data Staged: Local Data Staging

FIN13 has utilized the following temporary folders on compromised Windows and Linux systems for their operations prior to exfiltration: `C:\Windows\Temp` and `/tmp`.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1587 .001 Develop Capabilities: Malware

FIN13 has utilized custom malware to maintain persistence in a compromised environment.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1590 .004 Gather Victim Network Information: Network Topology

FIN13 has searched for infrastructure that can provide remote access to an environment for targeting efforts.(Citation: Mandiant FIN13 Aug 2022)

Enterprise T1564 .001 Hide Artifacts: Hidden Files and Directories

FIN13 has created hidden files and folders within a compromised Linux system `/tmp` directory. FIN13 also has used `attrib.exe` to hide gathered local host information.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1574 .001 Hijack Execution Flow: DLL

FIN13 has used IISCrack.dll as a side-loading technique to load a malicious version of httpodbc.dll on old IIS Servers (CVE-2001-0507).(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1056 .001 Input Capture: Keylogging

FIN13 has logged the keystrokes of victims to escalate privileges.(Citation: Mandiant FIN13 Aug 2022)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

FIN13 has used scheduled tasks names such as `acrotyr` and `AppServicesr` to mimic the same names in a compromised network's `C:\Windows` directory.(Citation: Mandiant FIN13 Aug 2022)

.005 Masquerading: Match Legitimate Resource Name or Location

FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1003 .001 OS Credential Dumping: LSASS Memory

FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory with Mimikatz.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

.002 OS Credential Dumping: Security Account Manager

FIN13 has extracted the SAM and SYSTEM registry hives using the `reg.exe` binary for obtaining password hashes from a compromised machine.(Citation: Sygnia Elephant Beetle Jan 2022)

.003 OS Credential Dumping: NTDS

FIN13 has harvested the NTDS.DIT file and leveraged the Impacket tool on the compromised domain controller to locally decrypt it.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1588 .002 Obtain Capabilities: Tool

FIN13 has utilized publicly available tools such as Mimikatz, Impacket, PWdump7, ProcDump, Nmap, and Incognito V2 for targeting efforts.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1090 .001 Proxy: Internal Proxy

FIN13 has utilized a proxy tool to communicate between compromised assets.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for lateral movement.(Citation: Mandiant FIN13 Aug 2022)

.002 Remote Services: SMB/Windows Admin Shares

FIN13 has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.(Citation: Sygnia Elephant Beetle Jan 2022)

.004 Remote Services: SSH

FIN13 has remotely accessed compromised environments via secure shell (SSH) for lateral movement.(Citation: Mandiant FIN13 Aug 2022)

.006 Remote Services: Windows Remote Management

FIN13 has leveraged `WMI` to move laterally within a compromised network via application servers and SQL servers.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN13 has created scheduled tasks in the `C:\Windows` directory of the compromised network.(Citation: Mandiant FIN13 Aug 2022)

Enterprise T1505 .003 Server Software Component: Web Shell

FIN13 has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute commands on compromised web server.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1016 .001 System Network Configuration Discovery: Internet Connection Discovery

FIN13 has used `Ping` and `tracert` for network reconnaissance efforts.(Citation: Mandiant FIN13 Aug 2022)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.(Citation: Sygnia Elephant Beetle Jan 2022)

Enterprise T1550 .002 Use Alternate Authentication Material: Pass the Hash

FIN13 has used the PowerShell utility `Invoke-SMBExec` to execute the pass the hash method for lateral movement within an compromised environment.(Citation: Mandiant FIN13 Aug 2022)

Enterprise T1078 .001 Valid Accounts: Default Accounts

FIN13 has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.(Citation: Sygnia Elephant Beetle Jan 2022)

Software

ID Name References Techniques
S0160 certutil (Citation: Sygnia Elephant Beetle Jan 2022) (Citation: TechNet Certutil) Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0357 Impacket (Citation: Impacket Tools) (Citation: Sygnia Elephant Beetle Jan 2022) LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, Lateral Tool Transfer, LSA Secrets
S0363 Empire (Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Sygnia Elephant Beetle Jan 2022) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0002 Mimikatz (Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Mandiant FIN13 Aug 2022) DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.