FIN8 is a financially motivated threat group known to launch tailored spearphishing campaigns targeting the retail, restaurant, and hospitality industries. [1] [2]

ID: G0061
Version: 1.0

Techniques Used

EnterpriseT1059Command-Line InterfaceFIN8 executes commands remotely via cmd.exe.[1]
EnterpriseT1043Commonly Used PortFIN8 has tunneled RDP backdoors over port 443.[3]
EnterpriseT1003Credential DumpingFIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).[3]
EnterpriseT1002Data CompressedFIN8 has used RAR to compress collected data before.[3]
EnterpriseT1074Data StagedFIN8 aggregates staged data from a network into a single location.[3]
EnterpriseT1048Exfiltration Over Alternative ProtocolFIN8 has used FTP to exfiltrate collected data.[3]
EnterpriseT1068Exploitation for Privilege EscalationFIN8 has exploited the CVE-2016-0167 local vulnerability.[2][3]
EnterpriseT1107File DeletionFIN8 has deleted tmp and prefetch files during post compromise cleanup activities.[3]
EnterpriseT1070Indicator Removal on HostFIN8 has cleared logs during post compromise cleanup activities.[3]
EnterpriseT1112Modify RegistryFIN8 has deleted Registry keys during post compromise cleanup activities.[3]
EnterpriseT1027Obfuscated Files or InformationFIN8 has used environment variables and standard input (stdin) to obfuscate command-line arguments. FIN8 also obfuscates malicious macros delivered as payloads.[1][3]
EnterpriseT1086PowerShellFIN8's malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell during and.[1][3]
EnterpriseT1076Remote Desktop ProtocolFIN8 has used RDP for.[3]
EnterpriseT1105Remote File CopyFIN8 has used remote code execution to download subsequent payloads.[2]
EnterpriseT1018Remote System DiscoveryFIN8 uses dsquery and other Active Directory utilities to enumerate hosts.[3]
EnterpriseT1053Scheduled TaskFIN8 has used scheduled tasks to maintain RDP backdoors.[3]
EnterpriseT1064ScriptingFIN8 has used a Batch file to automate frequently executed post compromise cleanup activities.[3]
EnterpriseT1063Security Software DiscoveryFIN8 has used Registry keys to detect and avoid executing in potential sandboxes.[3]
EnterpriseT1193Spearphishing AttachmentFIN8 has distributed targeted emails containing Word documents with embedded malicious macros.[1][2][3]
EnterpriseT1192Spearphishing LinkFIN8 has distributed targeted emails containing links to malicious documents with embedded macros.[3]
EnterpriseT1032Standard Cryptographic ProtocolFIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.[3]
EnterpriseT1204User ExecutionFIN8 has leveraged both Spearphishing Link and Spearphishing Attachment attempting to gain User Execution.[1][2][3]
EnterpriseT1078Valid AccountsFIN8 has utilized Valid Accounts during and.[3]
EnterpriseT1077Windows Admin SharesFIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials/context.[3]
EnterpriseT1047Windows Management InstrumentationFIN8's malicious spearphishing payloads use WMI to launch malware and spawn cmd.exe execution. FIN8 has also used WMIC during and post compromise cleanup activities.[1][3]


S0105dsquery[3]Account Discovery, Domain Trust Discovery, Permission Groups Discovery
S0039Net[3]Account Discovery, Create Account, Network Share Connection Removal, Network Share Discovery, Password Policy Discovery, Permission Groups Discovery, Remote System Discovery, Service Execution, System Network Connections Discovery, System Service Discovery, System Time Discovery, Windows Admin Shares
S0196PUNCHBUGGY[2]AppCert DLLs, Execution through Module Load, File Deletion, Masquerading, Registry Run Keys / Startup Folder, Remote File Copy, Rundll32, Standard Application Layer Protocol
S0197PUNCHTRACK[2]Data from Local System, Data Staged, Obfuscated Files or Information