FIN7

FIN7GOLD NIAGARAITG14Carbon SpiderELBRUSSangria Tempest

[FIN7](https://attack.mitre.org/groups/G0046) is a financially-motivated threat group that has been active since 2013. [FIN7](https://attack.mitre.org/groups/G0046) has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of [FIN7](https://attack.mitre.org/groups/G0046) was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, [FIN7](https:/...

Techniques

Covered

Gaps

91%

Coverage

Coverage61/67

GAPS (6)

T1027.016Junk Code Insertion T1497.002User Activity Based Checks T1591Gather Victim Org Information T1608.004Drive-by Target T1608.005Link Target T1674Input Injection

COVERED (61)

T1005Data from Local System46 det.T1008Fallback Channels5 det.T1021.001Remote Desktop Protocol51 det.T1021.004SSH31 det.T1021.005VNC2 det.T1027.010Command Obfuscation31 det.T1033System Owner/User Discovery59 det.T1036.004Masquerade Task or Service7 det.T1036.005Match Legitimate Resource Name or Location44 det.T1047Windows Management Instrumentation85 det.T1053.005Scheduled Task82 det.T1057Process Discovery18 det.T1059Command and Scripting Interpreter462 det.T1059.001PowerShell338 det.T1059.003Windows Command Shell79 det.T1059.005Visual Basic66 det.T1059.007JavaScript58 det.T1069.002Domain Groups42 det.T1071.004DNS31 det.T1078Valid Accounts252 det.T1078.003Local Accounts23 det.T1082System Information Discovery80 det.T1087.002Domain Account55 det.T1091Replication Through Removable Media8 det.T1102.002Bidirectional Communication14 det.T1105Ingress Tool Transfer170 det.T1113Screen Capture17 det.T1124System Time Discovery4 det.T1125Video Capture3 det.T1140Deobfuscate/Decode Files or Information55 det.T1190Exploit Public-Facing Application208 det.T1195.002Compromise Software Supply Chain23 det.T1204.001Malicious Link9 det.T1204.002Malicious File397 det.T1210Exploitation of Remote Services33 det.T1218.005Mshta46 det.T1218.011Rundll3273 det.T1219Remote Access Tools33 det.T1486Data Encrypted for Impact339 det.T1543.003Windows Service79 det.T1546.011Application Shimming11 det.T1547.001Registry Run Keys / Startup Folder50 det.T1553.002Code Signing3 det.T1558.003Kerberoasting31 det.T1559.002Dynamic Data Exchange1 det.T1562.004Disable or Modify System Firewall45 det.T1564.001Hidden Files and Directories23 det.T1564.003Hidden Window11 det.T1566.001Spearphishing Attachment850 det.T1566.002Spearphishing Link837 det.T1567.002Exfiltration to Cloud Storage27 det.T1569.002Service Execution63 det.T1571Non-Standard Port16 det.T1572Protocol Tunneling51 det.T1583.001Domains61 det.T1583.006Web Services1 det.T1587.001Malware9 det.T1588.002Tool13 det.T1591.004Identify Roles2 det.T1608.001Upload Malware2 det.T1620Reflective Code Loading12 det.