G1016: FIN13
Analyst context for executives and security teams
FIN13, also known as Elephant Beetle, is a financially motivated group reported by ATT&CK to target financial, retail, and hospitality organizations in Mexico and Latin America, with objectives including theft of intellectual property, financial data, M&A information, and PII. For leaders, the practical issue is not just a named group: the mapped behavior points to credential theft, lateral movement, discovery, persistence, and collection patterns that can turn an intrusion into data-loss and fraud risk.
Executive priority
Prioritize validation of identity, Windows administration, and sensitive-data monitoring controls where the organization operates in or supports Mexico/Latin America, or where financial, retail, hospitality, PII, financial-data, or M&A repositories are material. This object is useful for board and audit discussions because it links business-impact data categories to defensive questions: can the organization prove it monitors credential dumping, remote administration misuse, scheduled-task persistence, and access to high-value data stores?
Technical view
ATT&CK does not provide an official detection section for FIN13, so SOC and IR teams should derive validation from the reported relationships. Coverage should be checked across credential access techniques including LSASS Memory, SAM, and NTDS; lateral movement via RDP, SMB/Windows Admin Shares, SSH, and WinRM; execution through WMI, PowerShell, Windows Command Shell, and Scheduled Task; discovery of network configuration, internet connectivity, services, and connections; and collection from local systems. Tool context includes Mimikatz, certutil, Impacket, and Empire, which means detections should not rely only on malware names but also on behaviors such as credential material access, remote service execution, abnormal administrative protocols, suspicious script execution, and masqueraded services or resources.
Likely telemetry
- Windows security events and authentication logs for RDP, SMB, WinRM, administrative logons, and domain controller access
- Endpoint process creation and command-line telemetry for PowerShell, cmd, WMI, schtasks, certutil, Impacket-like activity, and Empire-like post-exploitation behavior
- Credential-access telemetry around LSASS access, SAM/Registry access, and NTDS.dit access or copying on domain controllers and backups
- Network telemetry for internal service discovery, port scanning, remote administration protocols, SSH use, and unusual host-to-host connections
- Task Scheduler and service creation/modification logs, including names that imitate legitimate tasks or services
Detection direction
- Validate detections by behavior chain, not by group name: discovery followed by credential dumping, administrative protocol use, persistence, and data collection should raise priority.
- Tune PowerShell, WMI, cmd, scheduled task, and remote administration detections to account for legitimate IT administration; false positives are likely without asset criticality, account role, and change-window context.
- Pay special attention to domain controllers and backup locations because related techniques include NTDS and SAM/LSASS credential access.
- Review whether monitoring covers both Windows-heavy behaviors and cross-platform relationships such as SSH and service/network discovery on Linux, macOS, ESXi, network devices, containers, and IaaS where those platforms exist locally.
- Look for masquerading through task, service, file, registry, or resource names that approximate trusted naming patterns rather than only known malicious filenames.
Mitigation priorities
- Start with identity hardening: reduce standing administrative privileges, protect domain controllers, enforce strong privileged-access governance, and monitor use of valid accounts for RDP, SMB, SSH, and WinRM.
- Harden and monitor credential stores, including LSASS protection where applicable, restrictions on credential dumping opportunities, and tight control over access to SAM, NTDS.dit, and backups.
- Constrain remote administration paths by limiting RDP, SMB admin shares, SSH, WinRM, WMI, and PowerShell to approved administrators, management hosts, and documented use cases.
- Improve endpoint and server logging for command execution, scheduled tasks, services, and suspicious use of built-in tools such as certutil.
- Classify and monitor high-value data stores containing PII, financial data, intellectual property, and M&A information so collection activity can be investigated quickly.
Analyst notes and limits
This take is based on the supplied ATT&CK group description and relationship context. The strongest business relevance is data theft risk against financial, retail, and hospitality sectors in Mexico and Latin America, plus the related techniques and software indicating credential access, discovery, lateral movement, execution, persistence, stealth, and collection behaviors.
The FIN13 object has no specified platforms, tactics, labels, or official detection guidance. Platform references above come from related ATT&CK techniques and software, not from the group object itself. Local exposure, control effectiveness, and detection coverage require environment-specific evidence.
FIN13
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1587.001 | Malware Sub-technique | FIN13 has utilized custom malware to maintain persistence in a compromised environment.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1078.001 | Default Accounts Sub-technique | FIN13 has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1572 | Protocol Tunneling | FIN13 has utilized web shells and Java tools for tunneling capabilities to and from compromised assets.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1021.006 | Windows Remote Management Sub-technique | FIN13 has leveraged `WMI` to move laterally within a compromised network via application servers and SQL servers.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1133 | External Remote Services | FIN13 has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN).CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1087.002 | Domain Account Sub-technique | FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts: `GetUserSPNs.vbs` and `querySpn.vbs`.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1046 | Network Service Discovery | |
| Enterprise | T1505.003 | Web Shell Sub-technique | FIN13 has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute commands on compromised web server.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1082 | System Information Discovery | |
| Enterprise | T1016 | System Network Configuration Discovery | |
| Enterprise | T1090.001 | Internal Proxy Sub-technique | FIN13 has utilized a proxy tool to communicate between compromised assets.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1565 | Data Manipulation | FIN13 has injected fraudulent transactions into compromised networks that mimic legitimate behavior to siphon off incremental amounts of money.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1059.001 | PowerShell Sub-technique | FIN13 has used PowerShell commands to obtain DNS data from a compromised network.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | FIN13 has created scheduled tasks in the `C:\Windows` directory of the compromised network.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1136.001 | Local Account Sub-technique | FIN13 has created MS-SQL local accounts in a compromised network.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1003.002 | Security Account Manager Sub-technique | FIN13 has extracted the SAM and SYSTEM registry hives using the `reg.exe` binary for obtaining password hashes from a compromised machine.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1003.003 | NTDS Sub-technique | |
| Enterprise | T1190 | Exploit Public-Facing Application | FIN13 has exploited known vulnerabilities such as CVE-2017-1000486 (Primefaces Application Expression Language Injection), CVE-2015-7450 (WebSphere Application Server SOAP Deserialization Exploit), CVE-2010-5326 (SAP NewWeaver Invoker Servlet Exploit), and EDB-ID-24963 (SAP NetWeaver ConfigServlet Remote Code Execution) to gain initial access.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1589 | Gather Victim Identity Information | FIN13 has researched employees to target for social engineering attacks.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1036.004 | Masquerade Task or Service Sub-technique | FIN13 has used scheduled tasks names such as `acrotyr` and `AppServicesr` to mimic the same names in a compromised network's `C:\Windows` directory.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | FIN13 has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1564.001 | Hidden Files and Directories Sub-technique | |
| Enterprise | T1552.001 | Credentials In Files Sub-technique | FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1657 | Financial Theft | FIN13 has observed the victim's software and infrastructure over several months to understand the technical process of legitimate financial transactions, prior to attempting to conduct fraudulent transactions.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1134.003 | Make and Impersonate Token Sub-technique | FIN13 has utilized tools such as Incognito V2 for token manipulation and impersonation.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1105 | Ingress Tool Transfer | FIN13 has downloaded additional tools and malware to compromised systems.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1550.002 | Pass the Hash Sub-technique | FIN13 has used the PowerShell utility `Invoke-SMBExec` to execute the pass the hash method for lateral movement within an compromised environment.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | FIN13 has used Windows Registry run keys such as, `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts` to maintain persistence.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | FIN13 has used `Ping` and `tracert` for network reconnaissance efforts.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1036 | Masquerading | |
| Enterprise | T1059.005 | Visual Basic Sub-technique | FIN13 has used VBS scripts for code execution on comrpomised machines.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1098.007 | Additional Local or Domain Groups Sub-technique | FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1574.001 | DLL Sub-technique | FIN13 has used IISCrack.dll as a side-loading technique to load a malicious version of httpodbc.dll on old IIS Servers (CVE-2001-0507).CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for lateral movement.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1590.004 | Network Topology Sub-technique | FIN13 has searched for infrastructure that can provide remote access to an environment for targeting efforts.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1135 | Network Share Discovery | FIN13 has executed net view commands for enumeration of open shares on compromised machines.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | FIN13 has compressed the dump output of compromised credentials with a 7zip binary.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | FIN13 has utilized `certutil` to decode base64 encoded versions of custom malware.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1556 | Modify Authentication Process | FIN13 has replaced legitimate KeePass binaries with trojanized versions to collect passwords from numerous applications.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1047 | Windows Management Instrumentation | FIN13 has utilized `WMI` to execute commands and move laterally on compromised Windows machines.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1021.004 | SSH Sub-technique | FIN13 has remotely accessed compromised environments via secure shell (SSH) for lateral movement.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | FIN13 has utilized the following temporary folders on compromised Windows and Linux systems for their operations prior to exfiltration: `C:\Windows\Temp` and `/tmp`.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1056.001 | Keylogging Sub-technique | FIN13 has logged the keystrokes of victims to escalate privileges.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1049 | System Network Connections Discovery | FIN13 has used `netstat` and other net commands for network reconnaissance efforts.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1083 | File and Directory Discovery | FIN13 has used the Windows `dir` command to enumerate files and directories in a victim's network.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1005 | Data from Local System | FIN13 has gathered stolen credentials, sensitive data such as point-of-sale (POS), and ATM data from a compromised network before exfiltration.CitationMandiant FIN13 Aug 2022CitationSygnia Elephant Beetle Jan 2022 |
| Enterprise | T1069 | Permission Groups Discovery | FIN13 has enumerated all users and roles from a victim's main treasury system.CitationMandiant FIN13 Aug 2022 |
| Enterprise | T1087 | Account Discovery | FIN13 has enumerated all users and their roles from a victim's main treasury system.CitationMandiant FIN13 Aug 2022 |
Groups, software, and campaigns
S0357: Impacket
S0002: Mimikatz
S0363: Empire
Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]
S0160: certutil
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 4509347cd8c7… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant FIN13 Aug 2022
Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.
Open source URL -
[2]
Sygnia Elephant Beetle Jan 2022
Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.
Open source URL -
[3]
Elephant Beetle
(Citation: Sygnia Elephant Beetle Jan 2022)
-
[4]
mitre-attack G1016Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.