Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

FIN13

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

ID: G1016

Associated Groups: Elephant Beetle

Version: 1.0

Created: 27 Jul 2023

Last Modified: 29 Sep 2023

Name	Description
Associated Group Descriptions
Elephant Beetle	(Citation: Sygnia Elephant Beetle Jan 2022)

Domain	ID		Name	Use
Techniques Used
Enterprise	T1134	.003	Access Token Manipulation: Make and Impersonate Token	FIN13 has utilized tools such as Incognito V2 for token manipulation and impersonation.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1087	.002	Account Discovery: Domain Account	FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts: `GetUserSPNs.vbs` and `querySpn.vbs`.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1098	.007	Account Manipulation: Additional Local or Domain Groups	FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1071	.001	Application Layer Protocol: Web Protocols	FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1560	.001	Archive Collected Data: Archive via Utility	FIN13 has compressed the dump output of compromised credentials with a 7zip binary.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	FIN13 has used Windows Registry run keys such as, `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts` to maintain persistence.(Citation: Mandiant FIN13 Aug 2022)
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	FIN13 has used PowerShell commands to obtain DNS data from a compromised network.(Citation: Mandiant FIN13 Aug 2022)
		.003	Command and Scripting Interpreter: Windows Command Shell	FIN13 has leveraged `xp_cmdshell` and Windows Command Shell to execute commands on a compromised machine. FIN13 has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remote commands on internal MS-SQL servers.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
		.005	Command and Scripting Interpreter: Visual Basic	FIN13 has used VBS scripts for code execution on comrpomised machines.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1136	.001	Create Account: Local Account	FIN13 has created MS-SQL local accounts in a compromised network.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1074	.001	Data Staged: Local Data Staging	FIN13 has utilized the following temporary folders on compromised Windows and Linux systems for their operations prior to exfiltration: `C:\Windows\Temp` and `/tmp`.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1587	.001	Develop Capabilities: Malware	FIN13 has utilized custom malware to maintain persistence in a compromised environment.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1590	.004	Gather Victim Network Information: Network Topology	FIN13 has searched for infrastructure that can provide remote access to an environment for targeting efforts.(Citation: Mandiant FIN13 Aug 2022)
Enterprise	T1564	.001	Hide Artifacts: Hidden Files and Directories	FIN13 has created hidden files and folders within a compromised Linux system `/tmp` directory. FIN13 also has used `attrib.exe` to hide gathered local host information.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1574	.001	Hijack Execution Flow: DLL	FIN13 has used IISCrack.dll as a side-loading technique to load a malicious version of httpodbc.dll on old IIS Servers (CVE-2001-0507).(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1056	.001	Input Capture: Keylogging	FIN13 has logged the keystrokes of victims to escalate privileges.(Citation: Mandiant FIN13 Aug 2022)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	FIN13 has used scheduled tasks names such as `acrotyr` and `AppServicesr` to mimic the same names in a compromised network's `C:\Windows` directory.(Citation: Mandiant FIN13 Aug 2022)
		.005	Masquerading: Match Legitimate Resource Name or Location	FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1003	.001	OS Credential Dumping: LSASS Memory	FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory with Mimikatz.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)
		.002	OS Credential Dumping: Security Account Manager	FIN13 has extracted the SAM and SYSTEM registry hives using the `reg.exe` binary for obtaining password hashes from a compromised machine.(Citation: Sygnia Elephant Beetle Jan 2022)
		.003	OS Credential Dumping: NTDS	FIN13 has harvested the NTDS.DIT file and leveraged the Impacket tool on the compromised domain controller to locally decrypt it.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1588	.002	Obtain Capabilities: Tool	FIN13 has utilized publicly available tools such as Mimikatz, Impacket, PWdump7, ProcDump, Nmap, and Incognito V2 for targeting efforts.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1090	.001	Proxy: Internal Proxy	FIN13 has utilized a proxy tool to communicate between compromised assets.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1021	.001	Remote Services: Remote Desktop Protocol	FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for lateral movement.(Citation: Mandiant FIN13 Aug 2022)
		.002	Remote Services: SMB/Windows Admin Shares	FIN13 has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.(Citation: Sygnia Elephant Beetle Jan 2022)
		.004	Remote Services: SSH	FIN13 has remotely accessed compromised environments via secure shell (SSH) for lateral movement.(Citation: Mandiant FIN13 Aug 2022)
		.006	Remote Services: Windows Remote Management	FIN13 has leveraged `WMI` to move laterally within a compromised network via application servers and SQL servers.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	FIN13 has created scheduled tasks in the `C:\Windows` directory of the compromised network.(Citation: Mandiant FIN13 Aug 2022)
Enterprise	T1505	.003	Server Software Component: Web Shell	FIN13 has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute commands on compromised web server.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1016	.001	System Network Configuration Discovery: Internet Connection Discovery	FIN13 has used `Ping` and `tracert` for network reconnaissance efforts.(Citation: Mandiant FIN13 Aug 2022)
Enterprise	T1552	.001	Unsecured Credentials: Credentials In Files	FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.(Citation: Sygnia Elephant Beetle Jan 2022)
Enterprise	T1550	.002	Use Alternate Authentication Material: Pass the Hash	FIN13 has used the PowerShell utility `Invoke-SMBExec` to execute the pass the hash method for lateral movement within an compromised environment.(Citation: Mandiant FIN13 Aug 2022)
Enterprise	T1078	.001	Valid Accounts: Default Accounts	FIN13 has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.(Citation: Sygnia Elephant Beetle Jan 2022)

ID	Name	References	Techniques
Software
S0160	certutil	(Citation: Sygnia Elephant Beetle Jan 2022) (Citation: TechNet Certutil)	Archive via Utility, Install Root Certificate, Deobfuscate/Decode Files or Information, Ingress Tool Transfer
S0357	Impacket	(Citation: Impacket Tools) (Citation: Sygnia Elephant Beetle Jan 2022)	LLMNR/NBT-NS Poisoning and SMB Relay, Network Sniffing, Kerberoasting, Ccache Files, NTDS, Service Execution, LSASS Memory, Windows Management Instrumentation, Security Account Manager, Lateral Tool Transfer, LSA Secrets
S0363	Empire	(Citation: EmPyre) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) (Citation: Sygnia Elephant Beetle Jan 2022)	Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Command Obfuscation, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Information Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket
S0002	Mimikatz	(Citation: Adsecurity Mimikatz Guide) (Citation: Deply Mimikatz) (Citation: Mandiant FIN13 Aug 2022)	DCSync, Credentials from Password Stores, Rogue Domain Controller, Private Keys, SID-History Injection, Security Support Provider, Pass the Hash, Account Manipulation, Pass the Ticket, Credentials from Web Browsers, Golden Ticket, Security Account Manager, LSASS Memory, Silver Ticket, Windows Credential Manager, Steal or Forge Authentication Certificates, LSA Secrets

References

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

FIN13

Associated Group Descriptions

Techniques Used

Software

References