ATT&CKcon 6.0 is coming October 14-15 in McLean, VA and live online. To potentially join us on stage, submit to our CFP by July 9th

GRIFFON

GRIFFON is a JavaScript backdoor used by FIN7. ^[1]

ID: S0417

ⓘ

Type: MALWARE

ⓘ

Platforms: Windows

Version: 1.1

Created: 11 October 2019

Last Modified: 25 April 2025

Version Permalink

Live Version

Techniques Used

Domain	ID		Name	Use
Enterprise	T1547	.001	Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.^[1]
Enterprise	T1059	.001	Command and Scripting Interpreter: PowerShell	GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.^[1]
		.007	Command and Scripting Interpreter: JavaScript	GRIFFON is written in and executed as JavaScript.^[1]
Enterprise	T1069	.002	Permission Groups Discovery: Domain Groups	GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.^[1]
Enterprise	T1053	.005	Scheduled Task/Job: Scheduled Task	GRIFFON has used `sctasks` for persistence. ^[1]
Enterprise	T1113		Screen Capture	GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.^[1]
Enterprise	T1082		System Information Discovery	GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .^[1]
Enterprise	T1124		System Time Discovery	GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.^[1]

Groups That Use This Software

ID	Name	References
G0046	FIN7	^[1]^[2]^[3]^[4]

References

Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021.