FIN7

FIN7GOLD NIAGARAITG14Carbon SpiderELBRUSSangria Tempest

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https:/...

Techniques

Covered

Gaps

91%

Coverage

Coverage62/68

GAPS (6)

T1027.016Junk Code Insertion T1497.002User Activity Based Checks T1591Gather Victim Org Information T1608.004Drive-by Target T1608.005Link Target T1674Input Injection

COVERED (62)

T1005Data from Local System47 det.T1008Fallback Channels5 det.T1021.001Remote Desktop Protocol53 det.T1021.004SSH34 det.T1021.005VNC2 det.T1027.010Command Obfuscation38 det.T1033System Owner/User Discovery61 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1047Windows Management Instrumentation87 det.T1053.005Scheduled Task99 det.T1057Process Discovery20 det.T1059Command and Scripting Interpreter486 det.T1059.001PowerShell368 det.T1059.003Windows Command Shell82 det.T1059.005Visual Basic68 det.T1059.007JavaScript61 det.T1069.002Domain Groups44 det.T1071.004DNS34 det.T1078Valid Accounts280 det.T1078.003Local Accounts23 det.T1082System Information Discovery86 det.T1087.002Domain Account57 det.T1091Replication Through Removable Media8 det.T1102.002Bidirectional Communication15 det.T1105Ingress Tool Transfer183 det.T1113Screen Capture18 det.T1124System Time Discovery4 det.T1125Video Capture3 det.T1140Deobfuscate/Decode Files or Information58 det.T1190Exploit Public-Facing Application216 det.T1195.002Compromise Software Supply Chain23 det.T1204.001Malicious Link10 det.T1204.002Malicious File425 det.T1210Exploitation of Remote Services35 det.T1218.005Mshta49 det.T1218.011Rundll3275 det.T1219Remote Access Tools40 det.T1486Data Encrypted for Impact360 det.T1543.003Windows Service79 det.T1546.011Application Shimming11 det.T1547.001Registry Run Keys / Startup Folder53 det.T1553.002Code Signing3 det.T1558.003Kerberoasting34 det.T1559.002Dynamic Data Exchange1 det.T1562.004Disable or Modify System Firewall48 det.T1564.001Hidden Files and Directories25 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment905 det.T1566.002Spearphishing Link904 det.T1567.002Exfiltration to Cloud Storage29 det.T1569.002Service Execution64 det.T1571Non-Standard Port16 det.T1572Protocol Tunneling56 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1587.001Malware10 det.T1588.002Tool13 det.T1591.004Identify Roles2 det.T1608.001Upload Malware3 det.T1620Reflective Code Loading14 det.T1686Disable or Modify System Firewall19 det.