FIN6

FIN6Magecart Group 6ITG08Skeleton SpiderTAALCamouflage Tempest

[FIN6](https://attack.mitre.org/groups/G0037) is a cyber crime group that has stolen payment card data and sold it for profit on underground marketplaces. This group has aggressively targeted and compromised point of sale (PoS) systems in the hospitality and retail sectors.(Citation: FireEye FIN6 April 2016)(Citation: FireEye FIN6 Apr 2019)

Techniques

Covered

Gaps

98%

Coverage

Coverage40/41

GAPS (1)

T1560.003Archive via Custom Method

COVERED (40)

T1003.001LSASS Memory111 det.T1003.003NTDS36 det.T1005Data from Local System47 det.T1018Remote System Discovery50 det.T1021.001Remote Desktop Protocol53 det.T1027.010Command Obfuscation38 det.T1036.004Masquerade Task or Service7 det.T1046Network Service Discovery51 det.T1047Windows Management Instrumentation87 det.T1048.003Exfiltration Over Unencrypted Non-C2 Protocol21 det.T1053.005Scheduled Task99 det.T1059Command and Scripting Interpreter486 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.007JavaScript61 det.T1068Exploitation for Privilege Escalation99 det.T1070.004File Deletion42 det.T1074.002Remote Data Staging3 det.T1078Valid Accounts280 det.T1087.002Domain Account57 det.T1095Non-Application Layer Protocol23 det.T1102Web Service34 det.T1110.002Password Cracking2 det.T1119Automated Collection12 det.T1134Access Token Manipulation28 det.T1204.002Malicious File425 det.T1213.006Databases2 det.T1547.001Registry Run Keys / Startup Folder53 det.T1553.002Code Signing3 det.T1555Credentials from Password Stores40 det.T1555.003Credentials from Web Browsers16 det.T1560Archive Collected Data12 det.T1562.001Disable or Modify Tools311 det.T1566.001Spearphishing Attachment905 det.T1566.003Spearphishing via Service88 det.T1569.002Service Execution64 det.T1572Protocol Tunneling56 det.T1573.002Asymmetric Cryptography6 det.T1588.002Tool13 det.T1685Disable or Modify Tools278 det.