FIN13 | APT Profile

Description

[FIN13](https://attack.mitre.org/groups/G1016) is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. [FIN13](https://attack.mitre.org/groups/G1016) achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.(Citation: Mandiant FIN13 Aug 2022)(Citation: Sygnia Elephant Beetle Jan 2022)

Techniques Used (TTPs)

T1587.001 — Malware (resource-development)
T1078.001 — Default Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1572 — Protocol Tunneling (command-and-control)
T1021.006 — Windows Remote Management (lateral-movement)
T1133 — External Remote Services (persistence, initial-access)
T1087.002 — Domain Account (discovery)
T1046 — Network Service Discovery (discovery)
T1505.003 — Web Shell (persistence)
T1082 — System Information Discovery (discovery)
T1016 — System Network Configuration Discovery (discovery)
T1090.001 — Internal Proxy (command-and-control)
T1565 — Data Manipulation (impact)
T1059.001 — PowerShell (execution)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1136.001 — Local Account (persistence)
T1003.002 — Security Account Manager (credential-access)
T1003.003 — NTDS (credential-access)
T1190 — Exploit Public-Facing Application (initial-access)
T1589 — Gather Victim Identity Information (reconnaissance)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1021.002 — SMB/Windows Admin Shares (lateral-movement)
T1003.001 — LSASS Memory (credential-access)
T1564.001 — Hidden Files and Directories (defense-evasion)
T1552.001 — Credentials In Files (credential-access)
T1657 — Financial Theft (impact)
T1588.002 — Tool (resource-development)
T1134.003 — Make and Impersonate Token (defense-evasion, privilege-escalation)
T1105 — Ingress Tool Transfer (command-and-control)
T1071.001 — Web Protocols (command-and-control)
T1550.002 — Pass the Hash (defense-evasion, lateral-movement)
T1059.003 — Windows Command Shell (execution)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1016.001 — Internet Connection Discovery (discovery)
T1036 — Masquerading (defense-evasion)
T1059.005 — Visual Basic (execution)
T1098.007 — Additional Local or Domain Groups (persistence, privilege-escalation)
T1574.001 — DLL (persistence, privilege-escalation, defense-evasion)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1590.004 — Network Topology (reconnaissance)
T1135 — Network Share Discovery (discovery)
T1560.001 — Archive via Utility (collection)
T1140 — Deobfuscate/Decode Files or Information (defense-evasion)
T1556 — Modify Authentication Process (credential-access, defense-evasion, persistence)
T1047 — Windows Management Instrumentation (execution)
T1021.004 — SSH (lateral-movement)
T1074.001 — Local Data Staging (collection)
T1056.001 — Keylogging (collection, credential-access)
T1036.005 — Match Legitimate Resource Name or Location (defense-evasion)
T1049 — System Network Connections Discovery (discovery)
T1083 — File and Directory Discovery (discovery)
T1005 — Data from Local System (collection)
T1069 — Permission Groups Discovery (discovery)
T1087 — Account Discovery (discovery)

Total TTPs: 53

Malware & Tools

Tools: Empire, Impacket, Mimikatz, certutil

← Return to Home ← Back to APT Search