FIN13
Associated Group Descriptions |
|
Name | Description |
---|---|
Elephant Beetle | (Citation: Sygnia Elephant Beetle Jan 2022) |
Techniques Used |
||||
Domain | ID | Name | Use | |
---|---|---|---|---|
Enterprise | T1134 | .003 | Access Token Manipulation: Make and Impersonate Token |
FIN13 has utilized tools such as Incognito V2 for token manipulation and impersonation.(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1087 | .002 | Account Discovery: Domain Account |
FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts: `GetUserSPNs.vbs` and `querySpn.vbs`.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1098 | .007 | Account Manipulation: Additional Local or Domain Groups |
FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1071 | .001 | Application Layer Protocol: Web Protocols |
FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1560 | .001 | Archive Collected Data: Archive via Utility |
FIN13 has compressed the dump output of compromised credentials with a 7zip binary.(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
FIN13 has used Windows Registry run keys such as, `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts` to maintain persistence.(Citation: Mandiant FIN13 Aug 2022) |
Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
FIN13 has used PowerShell commands to obtain DNS data from a compromised network.(Citation: Mandiant FIN13 Aug 2022) |
.003 | Command and Scripting Interpreter: Windows Command Shell |
FIN13 has leveraged `xp_cmdshell` and Windows Command Shell to execute commands on a compromised machine. FIN13 has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remote commands on internal MS-SQL servers.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
||
.005 | Command and Scripting Interpreter: Visual Basic |
FIN13 has used VBS scripts for code execution on comrpomised machines.(Citation: Sygnia Elephant Beetle Jan 2022) |
||
Enterprise | T1136 | .001 | Create Account: Local Account |
FIN13 has created MS-SQL local accounts in a compromised network.(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
FIN13 has utilized the following temporary folders on compromised Windows and Linux systems for their operations prior to exfiltration: `C:\Windows\Temp` and `/tmp`.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1587 | .001 | Develop Capabilities: Malware |
FIN13 has utilized custom malware to maintain persistence in a compromised environment.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1590 | .004 | Gather Victim Network Information: Network Topology |
FIN13 has searched for infrastructure that can provide remote access to an environment for targeting efforts.(Citation: Mandiant FIN13 Aug 2022) |
Enterprise | T1564 | .001 | Hide Artifacts: Hidden Files and Directories |
FIN13 has created hidden files and folders within a compromised Linux system `/tmp` directory. FIN13 also has used `attrib.exe` to hide gathered local host information.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1574 | .001 | Hijack Execution Flow: DLL |
FIN13 has used IISCrack.dll as a side-loading technique to load a malicious version of httpodbc.dll on old IIS Servers (CVE-2001-0507).(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1056 | .001 | Input Capture: Keylogging |
FIN13 has logged the keystrokes of victims to escalate privileges.(Citation: Mandiant FIN13 Aug 2022) |
Enterprise | T1036 | .004 | Masquerading: Masquerade Task or Service |
FIN13 has used scheduled tasks names such as `acrotyr` and `AppServicesr` to mimic the same names in a compromised network's `C:\Windows` directory.(Citation: Mandiant FIN13 Aug 2022) |
.005 | Masquerading: Match Legitimate Resource Name or Location |
FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.(Citation: Sygnia Elephant Beetle Jan 2022) |
||
Enterprise | T1003 | .001 | OS Credential Dumping: LSASS Memory |
FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory with Mimikatz.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022) |
.002 | OS Credential Dumping: Security Account Manager |
FIN13 has extracted the SAM and SYSTEM registry hives using the `reg.exe` binary for obtaining password hashes from a compromised machine.(Citation: Sygnia Elephant Beetle Jan 2022) |
||
.003 | OS Credential Dumping: NTDS |
FIN13 has harvested the NTDS.DIT file and leveraged the Impacket tool on the compromised domain controller to locally decrypt it.(Citation: Sygnia Elephant Beetle Jan 2022) |
||
Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
FIN13 has utilized publicly available tools such as Mimikatz, Impacket, PWdump7, ProcDump, Nmap, and Incognito V2 for targeting efforts.(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1090 | .001 | Proxy: Internal Proxy |
FIN13 has utilized a proxy tool to communicate between compromised assets.(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1021 | .001 | Remote Services: Remote Desktop Protocol |
FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for lateral movement.(Citation: Mandiant FIN13 Aug 2022) |
.002 | Remote Services: SMB/Windows Admin Shares |
FIN13 has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.(Citation: Sygnia Elephant Beetle Jan 2022) |
||
.004 | Remote Services: SSH |
FIN13 has remotely accessed compromised environments via secure shell (SSH) for lateral movement.(Citation: Mandiant FIN13 Aug 2022) |
||
.006 | Remote Services: Windows Remote Management |
FIN13 has leveraged `WMI` to move laterally within a compromised network via application servers and SQL servers.(Citation: Sygnia Elephant Beetle Jan 2022) |
||
Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
FIN13 has created scheduled tasks in the `C:\Windows` directory of the compromised network.(Citation: Mandiant FIN13 Aug 2022) |
Enterprise | T1505 | .003 | Server Software Component: Web Shell |
FIN13 has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute commands on compromised web server.(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1016 | .001 | System Network Configuration Discovery: Internet Connection Discovery |
FIN13 has used `Ping` and `tracert` for network reconnaissance efforts.(Citation: Mandiant FIN13 Aug 2022) |
Enterprise | T1552 | .001 | Unsecured Credentials: Credentials In Files |
FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.(Citation: Sygnia Elephant Beetle Jan 2022) |
Enterprise | T1550 | .002 | Use Alternate Authentication Material: Pass the Hash |
FIN13 has used the PowerShell utility `Invoke-SMBExec` to execute the pass the hash method for lateral movement within an compromised environment.(Citation: Mandiant FIN13 Aug 2022) |
Enterprise | T1078 | .001 | Valid Accounts: Default Accounts |
FIN13 has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.(Citation: Sygnia Elephant Beetle Jan 2022) |
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.