FIN6 | APT Profile

Description

[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Techniques Used (TTPs)

T1560.003 — Archive via Custom Method (collection)
T1566.001 — Spearphishing Attachment (initial-access)
T1087.002 — Domain Account (discovery)
T1059 — Command and Scripting Interpreter (execution)
T1572 — Protocol Tunneling (command-and-control)
T1213 — Data from Information Repositories (collection)
T1027.010 — Command Obfuscation (defense-evasion)
T1059.007 — JavaScript (execution)
T1102 — Web Service (command-and-control)
T1005 — Data from Local System (collection)
T1547.001 — Registry Run Keys / Startup Folder (persistence, privilege-escalation)
T1059.003 — Windows Command Shell (execution)
T1588.002 — Tool (resource-development)
T1070.004 — File Deletion (defense-evasion)
T1003.003 — NTDS (credential-access)
T1134 — Access Token Manipulation (defense-evasion, privilege-escalation)
T1562.001 — Disable or Modify Tools (defense-evasion)
T1068 — Exploitation for Privilege Escalation (privilege-escalation)
T1204.002 — Malicious File (execution)
T1036.004 — Masquerade Task or Service (defense-evasion)
T1566.003 — Spearphishing via Service (initial-access)
T1059.001 — PowerShell (execution)
T1560 — Archive Collected Data (collection)
T1553.002 — Code Signing (defense-evasion)
T1021.001 — Remote Desktop Protocol (lateral-movement)
T1119 — Automated Collection (collection)
T1018 — Remote System Discovery (discovery)
T1053.005 — Scheduled Task (execution, persistence, privilege-escalation)
T1569.002 — Service Execution (execution)
T1046 — Network Service Discovery (discovery)
T1048.003 — Exfiltration Over Unencrypted Non-C2 Protocol (exfiltration)
T1047 — Windows Management Instrumentation (execution)
T1110.002 — Password Cracking (credential-access)
T1555 — Credentials from Password Stores (credential-access)
T1095 — Non-Application Layer Protocol (command-and-control)
T1078 — Valid Accounts (defense-evasion, persistence, privilege-escalation, initial-access)
T1573.002 — Asymmetric Cryptography (command-and-control)
T1003.001 — LSASS Memory (credential-access)
T1555.003 — Credentials from Web Browsers (credential-access)
T1074.002 — Remote Data Staging (collection)

Total TTPs: 40

Malware & Tools

Malware: Cobalt Strike, FlawedAmmyy, FrameworkPOS, GrimAgent, LockerGoga, Maze, More_eggs, Ryuk

Tools: AdFind, Mimikatz, PsExec, Windows Credential Editor

← Return to Home ← Back to APT Search