GRIFFON
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder |
GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.(Citation: SecureList Griffon May 2019) |
| Enterprise | T1059 | .001 | Command and Scripting Interpreter: PowerShell |
GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.(Citation: SecureList Griffon May 2019) |
| .007 | Command and Scripting Interpreter: JavaScript |
GRIFFON is written in and executed as JavaScript.(Citation: SecureList Griffon May 2019) |
||
| Enterprise | T1069 | .002 | Permission Groups Discovery: Domain Groups |
GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.(Citation: SecureList Griffon May 2019) |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task |
GRIFFON has used |
Groups That Use This Software |
||
| ID | Name | References |
|---|---|---|
| G0046 | FIN7 |
(Citation: SecureList Griffon May 2019) (Citation: CrowdStrike Carbon Spider August 2021) (Citation: FBI Flash FIN7 USB) |
References
- Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
- Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.
- The Record. (2022, January 7). FBI: FIN7 hackers target US companies with BadUSB devices to install ransomware. Retrieved January 14, 2022.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.