FIN13 is a financially-motivated threat actor tracked by Mandiant and known to target Mexican organizations. They are distinguished by their preference for passive backdoors (webshells) and exceptionally long dwell time (median of 2 ½ years). Employing a wide array of custom backdoors as well as native operating system utilities (LOLBAS), they are able to exploit and persist on a large variety of operating systems and platforms.
This #ThreatThursday will come in two parts, with this part covering Initial Access and Discovery, where the adversary gained access and surveyed their environment. The second part will be published later and will cover Lateral Movement, Persistence, and other TTPs related to accomplishing their operational objectives.
Extracting Procedures from CTI
The Mandiant report provides ample material for extracting procedure-level information. For example, they mention that FIN13 takes effective advantage of LOLBAS tools. They have been observed to use many executables such as “net”, native to Windows to survey their target and discover targets for lateral movement. They also take advantage of native scripting languages such as Powershell (T1059.001) and VBScript (T1059.005) to execute open-source and custom scripts. Using these examples and their list of MITRE ATT&CK Techniques employed, we can effectively build an emulation plan for their post-breach behavior.
FIN13 typically gains access by deploying a webshell to a compromised web server. With this initial access they perform discovery and employ a web proxy to interact with servers on the target’s internal network. They avoid typical malware that use active command and control connections back to attacker infrastructure, preferring instead to use webshells that are passive until interacted with.
We will focus on their post-exploitation (post-breach) behavior. Since the SCYTHE client employs active communication protocols, we may consider the C2 traffic out of scope for the purposes of emulation. Instead, we will scope the emulation to cover the commands and behaviors that they perform with their webshells.
After gaining initial access by exploiting a public webserver (T1190), FIN13 performs reconnaissance on the local machine and the internal network.
Part 1 of our emulation is wrapped up in one SCYTHE Campaign that covers their internal reconnaissance techniques. It begins by running several native Windows binaries including:
These executables are very commonly used by threat actors once they have gained initial access to gain situational awareness without requiring any additional malware to be uploaded to the compromised system. Since FIN13 primarily uses webshells to run commands, they likely begin with relatively limited low-level access to the operating system (such as the ability to use Windows API calls or Linux syscalls) and limit themselves to capabilities native to the compromised host. As they progress through their operation, they upload additional tools to the target system and eventually execute a secondary malware implant or move laterally to another internal host.
We move on to executing reconnaissance scripts through native Command and Scripting Interpreters (T1059) including Powershell and VBScript. FIN13 executed custom scripts and leveraged publicly available scripts such as GetUserSPNS.vbs. We have integrated their custom scripts (provided by Mandiant) into our SCYTHE Campaign. Interestingly, one of their scripts (that parses Windows Event Logs for logon events; provided as ExtractLogins.ps1) was found on a code help Q&A website (codetwo[.]com). The script that they executed was the nonfunctional version in the poster’s question, and did not contain fixes suggested by the answers. Since the code snippet provided by Mandiant did not function properly, we fixed it up under the assumption that FIN13 would have done the same after initially executing the broken script. Our copies of their scripts are packaged with the adversary emulation plan.
We also execute a script (we named it DNSDump.ps1) that queries the local machine’s DNS server for details on all DNS zones and extracts records from them. This script assumes that it is being executed on a Windows Server that is acting in the DNS server role.
The scripts referenced in the Mandiant report output to files in the C:\Windows\temp folder, which required administrative privilege to write to. Other details in the report indicate that FIN13 possessed or assumed administrative access to a compromised web server. While it is generally poor practice to run web servers with high-level privileges, this is not an uncommon configuration. Though it is not generally safe to assume that adversaries will gain initial access with administrative privileges, the TTPs that we have available for FIN13 are provided within a context where that assumption was true. As such, we recommend that this FIN13 SCYTHE Campaign be executed with administrator privileges in order to most accurately emulate the threat intelligence. However, our emulation procedures use the %TEMP% directory rather than explicitly writing to C:\Windows\temp, so they will still execute even if the SCYTHE client is run as a normal user.
Our emulation plan continues to enumerate the network and domain. After checking whether the machine is joined to a Windows domain, we check for the name of the user’s logon server (domain controller). Then, we replicate FIN13’s use of various native tools to locate the domain controller and map the network:
Next, we upload an open-source VBScript tool (GetUserSPNS.vbs) and execute it via command-line using cscript.exe. This script harvests data from the Windows domain to enumerate users vulnerable to Kerberoasting.
Finally, we include another phase of our campaign that deletes all artifacts created on the target, including scripts uploaded and data exfiltrated.
Windows Suspicious Reconnaissance
The first detection capability we’ll cover is the Reconnaissance Activity with Net Command SIGMA Rule. It’s worth noting that this rule will likely need tailoring for your environment(s) and can be broken down into several smaller rules if necessary. The rule is applicable to six detection opportunities in the emulation catching the usage of net1.exe, systeminfo.exe, nslookup.exe, whoami, and netstat.exe. The logic searches for common reconnaissance commands and is available for an in-depth review on the rule page.
Suspicious Net Execution
This detection area is covered by the above rule but focuses more specifically on net execution with specific commands. The rule is SIGMA’s Net.exe Execution and is applicable to the following phases in the SCYTHE plan.
In step 6 of the emulation campaign systeminfo is executed which presents an opportunity to detect it. It is covered by the Reconnaissance Activity with Net Command previously mentioned, but Sigma also offers Suspicious Execution of Systminfo to cover the activity.
Fsutil Drive Enumeration
In step seven the command “fsutil fsinfo drives” is executed to enumerate attached drives. To alert on this detection opportunity deploy a rule that searches for a process name of fsutil.exe or an original filename of fsutil.exe with command line parameters of fsinfo and drives. We also contributed the rule Fsutil Drive Enumeration to Sigma.
Attrib is leveraged in step nine of the emulation with the command “attrib /D”. This command executed attrib.exe. We recommend baselining attrib.exe execution in the environment so anomalous usage can be alerted.
Suspicious PowerShell Parameters
Though we don’t know exactly how the actor was observed executing PowerShell scripts we recommend thorough coverage of PowerShell including unmanaged PowerShell as well. In steps 14 and 16 of the plan we see detection opportunities around the -exec bypass parameters leveraged. We recommend the Suspicious PowerShell Parameter Substring Sigma rule for coverage of this detection opportunity.
Suspicious Network Enumeration
In this step we see a detection opportunity around the /all parameter being used with ipconfig. While ipconfig is commonly used by administrators, often they do not leverage the /all parameter. It is recommended to baseline this for the environment or deploy and baseline the Suspicious Network Command Sigma rule.
Suspicious Echo Commands
In steps 20, 24, and 25 we observe the enumeration of the environment variables via commands containing “echo %”. We recommend you baseline and alert on commands that contain the string of “echo %”.
Cscript Executing Visual Basic Script
The final detection opportunity in the campaign is cscript executing a vbs file. To detect this we recommend the Sigma rule Cscript Visual Basic Execution. The logic of the alert looks for a process image of cscript.exe with a command line containing “.vbs”. Note that baselining and tuning may be needed for the rule.
Detection Section Contributor: Christopher Peacock
This blog post has detailed the first part of our FIN13 emulation based on Mandiant’s report. We covered their use of native Windows binaries and scripting capabilities to survey the compromised environment and discover targets for lateral movement.
Join us soon in the second part of this ThreatThursday, where we emulate FIN13’s more advanced TTPs that exploit the information they gathered through the steps in Part 1 and demonstrate how to execute them within the SCYTHE platform.
About the Author
Shawn Edwards is a Senior Adversary Emulation Engineer at SCYTHE, Inc. where he focuses on leading the development of adversary emulation capabilities and open-source collaboration. He is an experienced offensive capability developer, having developed novel tools and techniques for the open-source, public, and private sectors to be used in red teaming and security research. Previous roles include red teaming at MITRE and their ATT&CK Evaluations project, Sony, and the US DoD.