G0061 · 37 ATT&CK techniques · 0 correlated reports

FIN8

Aliases: Syssphinx

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.

Open interactive actor investigation

ATT&CK techniques

T1078
Valid Accounts T1070.001
Clear Windows Event Logs T1048.003
Exfiltration Over Unencrypted Non-C2 Protocol T1033
System Owner/User Discovery T1518.001
Security Software Discovery T1021.001
Remote Desktop Protocol T1003.001
LSASS Memory T1588.002
Tool T1204.002
Malicious File T1588.003
Code Signing Certificates T1068
Exploitation for Privilege Escalation T1546.003
Windows Management Instrumentation Event Subscription T1566.002
Spearphishing Link T1053.005
Scheduled Task T1204.001
Malicious Link T1102
Web Service T1027.010
Command Obfuscation T1070.004
File Deletion T1566.001
Spearphishing Attachment T1071.001
Web Protocols T1021.002
SMB/Windows Admin Shares T1560.001
Archive via Utility T1074.002
Remote Data Staging T1105
Ingress Tool Transfer T1082
System Information Discovery T1059.001
PowerShell T1059.003
Windows Command Shell T1573.002
Asymmetric Cryptography T1055.004
Asynchronous Procedure Call T1018
Remote System Discovery T1486
Data Encrypted for Impact T1482
Domain Trust Discovery T1112
Modify Registry T1134.001
Token Impersonation/Theft T1016.001
Internet Connection Discovery T1047
Windows Management Instrumentation T1059
Command and Scripting Interpreter

Correlated CTI and IR reports

Continue the investigation

Interactive ThreatMapper ThreatMapper documentation CTI Analyst Field Manual Israel Threat Actors CTI Anomaly Detection Atlas ITDR Handbook 1200km Medium research