FIN6

FIN6Magecart Group 6ITG08Skeleton SpiderTAALCamouflage Tempest

[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Techniques

Covered

Gaps

98%

Coverage

Coverage39/40

GAPS (1)

T1560.003Archive via Custom Method

COVERED (39)

T1003.001LSASS Memory105 det.T1003.003NTDS34 det.T1005Data from Local System46 det.T1018Remote System Discovery46 det.T1021.001Remote Desktop Protocol51 det.T1027.010Command Obfuscation31 det.T1036.004Masquerade Task or Service7 det.T1046Network Service Discovery49 det.T1047Windows Management Instrumentation85 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol20 det.T1053.005Scheduled Task82 det.T1059Command and Scripting Interpreter462 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.007JavaScript58 det.T1068Exploitation for Privilege Escalation91 det.T1070.004File Deletion40 det.T1074.002Remote Data Staging3 det.T1078Valid Accounts252 det.T1087.002Domain Account55 det.T1095Non-Application Layer Protocol23 det.T1102Web Service33 det.T1110.002Password Cracking2 det.T1119Automated Collection11 det.T1134Access Token Manipulation24 det.T1204.002Malicious File397 det.T1213.006Databases2 det.T1547.001Registry Run Keys / Startup Folder50 det.T1553.002Code Signing3 det.T1555Credentials from Password Stores38 det.T1555.003Credentials from Web Browsers15 det.T1560Archive Collected Data11 det.T1562.001Disable or Modify Tools300 det.T1566.001Spearphishing Attachment850 det.T1566.003Spearphishing via Service85 det.T1569.002Service Execution63 det.T1572Protocol Tunneling51 det.T1573.002Asymmetric Cryptography6 det.T1588.002Tool13 det.