{"description": "Enterprise techniques used by FinFisher, ATT&CK software S0182 (v1.4)", "name": "FinFisher (S0182)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "19", "navigator": "5.3.2"}, "techniques": [{"techniqueID": "T1548", "showSubtechniques": true}, {"techniqueID": "T1548.002", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) performs UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1134", "showSubtechniques": true}, {"techniqueID": "T1134.001", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) uses token manipulation with NtFilterToken as part of UAC bypass.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) establishes persistence by creating the Registry key HKCU\\Software\\Microsoft\\Windows\\Run.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) creates a new Windows service with the malicious executable for persistence.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) extracts and decrypts stage 3 malware, which is stored in encrypted resources.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1685", "showSubtechniques": true}, {"techniqueID": "T1685.005", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) clears the system event logs using  OpenEventLog/ClearEventLog APIs .(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1083", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) enumerates directories and scans for certain files.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.001", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) uses DLL side-loading to load malicious programs.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018) A [FinFisher](https://attack.mitre.org/software/S0182) variant also uses DLL search order hijacking.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1574.013", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) has used the KernelCallbackTable to hijack the execution flow of a process by replacing the __fnDWORD function with the address of a created [Asynchronous Procedure Call](https://attack.mitre.org/techniques/T1055/004) stub routine.(Citation: FinFisher exposed )", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1056", "showSubtechniques": true}, {"techniqueID": "T1056.004", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) hooks processes by modifying IAT pointers to CreateWindowEx.(Citation: FinFisher Citation)(Citation: Elastic Process Injection July 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "A [FinFisher](https://attack.mitre.org/software/S0182) variant uses a custom packer.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) contains junk code in its functions in an effort to confuse disassembly programs.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1542", "showSubtechniques": true}, {"techniqueID": "T1542.003", "comment": "Some [FinFisher](https://attack.mitre.org/software/S0182) variants incorporate an MBR rootkit.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) checks its parent process for indications that it is running in a sandbox setup.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "showSubtechniques": true}, {"techniqueID": "T1055.001", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) injects itself into various processes depending on whether it is low integrity or high integrity.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) queries Registry values as part of its anti-sandbox checks.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1113", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) probes the system to check for antimalware processes.(Citation: FinFisher Citation)(Citation: Securelist BlackOasis Oct 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) checks if the victim OS is 32 or 64-bit.(Citation: FinFisher Citation)(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[FinFisher](https://attack.mitre.org/software/S0182) obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments.(Citation: Microsoft FinFisher March 2018)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FinFisher", "color": "#66b1ff"}]}