Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G1016: FIN13

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.[1][2]

EnterpriseG1016GroupObject v1.0 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

FIN13, also known as Elephant Beetle, is a financially motivated group reported by ATT&CK to target financial, retail, and hospitality organizations in Mexico and Latin America, with objectives including theft of intellectual property, financial data, M&A information, and PII. For leaders, the practical issue is not just a named group: the mapped behavior points to credential theft, lateral movement, discovery, persistence, and collection patterns that can turn an intrusion into data-loss and fraud risk.

Executive priority

Prioritize validation of identity, Windows administration, and sensitive-data monitoring controls where the organization operates in or supports Mexico/Latin America, or where financial, retail, hospitality, PII, financial-data, or M&A repositories are material. This object is useful for board and audit discussions because it links business-impact data categories to defensive questions: can the organization prove it monitors credential dumping, remote administration misuse, scheduled-task persistence, and access to high-value data stores?

Technical view

ATT&CK does not provide an official detection section for FIN13, so SOC and IR teams should derive validation from the reported relationships. Coverage should be checked across credential access techniques including LSASS Memory, SAM, and NTDS; lateral movement via RDP, SMB/Windows Admin Shares, SSH, and WinRM; execution through WMI, PowerShell, Windows Command Shell, and Scheduled Task; discovery of network configuration, internet connectivity, services, and connections; and collection from local systems. Tool context includes Mimikatz, certutil, Impacket, and Empire, which means detections should not rely only on malware names but also on behaviors such as credential material access, remote service execution, abnormal administrative protocols, suspicious script execution, and masqueraded services or resources.

Likely telemetry

  • Windows security events and authentication logs for RDP, SMB, WinRM, administrative logons, and domain controller access
  • Endpoint process creation and command-line telemetry for PowerShell, cmd, WMI, schtasks, certutil, Impacket-like activity, and Empire-like post-exploitation behavior
  • Credential-access telemetry around LSASS access, SAM/Registry access, and NTDS.dit access or copying on domain controllers and backups
  • Network telemetry for internal service discovery, port scanning, remote administration protocols, SSH use, and unusual host-to-host connections
  • Task Scheduler and service creation/modification logs, including names that imitate legitimate tasks or services

Detection direction

  • Validate detections by behavior chain, not by group name: discovery followed by credential dumping, administrative protocol use, persistence, and data collection should raise priority.
  • Tune PowerShell, WMI, cmd, scheduled task, and remote administration detections to account for legitimate IT administration; false positives are likely without asset criticality, account role, and change-window context.
  • Pay special attention to domain controllers and backup locations because related techniques include NTDS and SAM/LSASS credential access.
  • Review whether monitoring covers both Windows-heavy behaviors and cross-platform relationships such as SSH and service/network discovery on Linux, macOS, ESXi, network devices, containers, and IaaS where those platforms exist locally.
  • Look for masquerading through task, service, file, registry, or resource names that approximate trusted naming patterns rather than only known malicious filenames.

Mitigation priorities

  • Start with identity hardening: reduce standing administrative privileges, protect domain controllers, enforce strong privileged-access governance, and monitor use of valid accounts for RDP, SMB, SSH, and WinRM.
  • Harden and monitor credential stores, including LSASS protection where applicable, restrictions on credential dumping opportunities, and tight control over access to SAM, NTDS.dit, and backups.
  • Constrain remote administration paths by limiting RDP, SMB admin shares, SSH, WinRM, WMI, and PowerShell to approved administrators, management hosts, and documented use cases.
  • Improve endpoint and server logging for command execution, scheduled tasks, services, and suspicious use of built-in tools such as certutil.
  • Classify and monitor high-value data stores containing PII, financial data, intellectual property, and M&A information so collection activity can be investigated quickly.
Analyst notes and limits

This take is based on the supplied ATT&CK group description and relationship context. The strongest business relevance is data theft risk against financial, retail, and hospitality sectors in Mexico and Latin America, plus the related techniques and software indicating credential access, discovery, lateral movement, execution, persistence, stealth, and collection behaviors.

The FIN13 object has no specified platforms, tactics, labels, or official detection guidance. Platform references above come from related ATT&CK techniques and software, not from the group object itself. Local exposure, control effectiveness, and detection coverage require environment-specific evidence.

Official MITRE ATT&CK definition

FIN13

FIN13 is a financially motivated cyber threat group that has targeted the financial, retail, and hospitality industries in Mexico and Latin America, as early as 2016. FIN13 achieves its objectives by stealing intellectual property, financial data, mergers and acquisition information, or PII.[1][2]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

53 rows
Domain ID Name Relationship / procedure
Enterprise T1587.001 Malware Sub-technique

FIN13 has utilized custom malware to maintain persistence in a compromised environment.[1][2]
Enterprise T1078.001 Default Accounts Sub-technique

FIN13 has leveraged default credentials for authenticating myWebMethods (WMS) and QLogic web management interface to gain initial access.[2]
Enterprise T1572 Protocol Tunneling

FIN13 has utilized web shells and Java tools for tunneling capabilities to and from compromised assets.[2]
Enterprise T1021.006 Windows Remote Management Sub-technique

FIN13 has leveraged `WMI` to move laterally within a compromised network via application servers and SQL servers.[2]
Enterprise T1133 External Remote Services

FIN13 has gained access to compromised environments via remote access services such as the corporate virtual private network (VPN).[1]
Enterprise T1087.002 Domain Account Sub-technique

FIN13 can identify user accounts associated with a Service Principal Name and query Service Principal Names within the domain by utilizing the following scripts: `GetUserSPNs.vbs` and `querySpn.vbs`.[1][2]
Enterprise T1046 Network Service Discovery

FIN13 has utilized `nmap` for reconnaissance efforts. FIN13 has also scanned for internal MS-SQL servers in a compromised network.[1][2]
Enterprise T1505.003 Web Shell Sub-technique

FIN13 has utilized obfuscated and open-source web shells such as JspSpy, reGeorg, MiniWebCmdShell, and Vonloesch Jsp File Browser 1.2 to enable remote code execution and to execute commands on compromised web server.[2]
Enterprise T1082 System Information Discovery

FIN13 has collected local host information by utilizing Windows commands `systeminfo`, `fsutil`, and `fsinfo`. FIN13 has also utilized a compromised Symantex Altiris console and LanDesk account to retrieve host information.[1][2]
Enterprise T1016 System Network Configuration Discovery

FIN13 has used `nslookup` and `ipconfig` for network reconnaissance efforts. FIN13 has also utilized a compromised Symantec Altiris console and LanDesk account to retrieve network information.[1][2]
Enterprise T1090.001 Internal Proxy Sub-technique

FIN13 has utilized a proxy tool to communicate between compromised assets.[2]
Enterprise T1565 Data Manipulation

FIN13 has injected fraudulent transactions into compromised networks that mimic legitimate behavior to siphon off incremental amounts of money.[2]
Enterprise T1059.001 PowerShell Sub-technique

FIN13 has used PowerShell commands to obtain DNS data from a compromised network.[1]
Enterprise T1053.005 Scheduled Task Sub-technique

FIN13 has created scheduled tasks in the `C:\Windows` directory of the compromised network.[1]
Enterprise T1136.001 Local Account Sub-technique

FIN13 has created MS-SQL local accounts in a compromised network.[2]
Enterprise T1003.002 Security Account Manager Sub-technique

FIN13 has extracted the SAM and SYSTEM registry hives using the `reg.exe` binary for obtaining password hashes from a compromised machine.[2]
Enterprise T1003.003 NTDS Sub-technique

FIN13 has harvested the NTDS.DIT file and leveraged the Impacket tool on the compromised domain controller to locally decrypt it.[2]
Enterprise T1190 Exploit Public-Facing Application

FIN13 has exploited known vulnerabilities such as CVE-2017-1000486 (Primefaces Application Expression Language Injection), CVE-2015-7450 (WebSphere Application Server SOAP Deserialization Exploit), CVE-2010-5326 (SAP NewWeaver Invoker Servlet Exploit), and EDB-ID-24963 (SAP NetWeaver ConfigServlet Remote Code Execution) to gain initial access.[1][2]
Enterprise T1589 Gather Victim Identity Information

FIN13 has researched employees to target for social engineering attacks.[1]
Enterprise T1036.004 Masquerade Task or Service Sub-technique

FIN13 has used scheduled tasks names such as `acrotyr` and `AppServicesr` to mimic the same names in a compromised network's `C:\Windows` directory.[1]
Enterprise T1021.002 SMB/Windows Admin Shares Sub-technique

FIN13 has leveraged SMB to move laterally within a compromised network via application servers and SQL servers.[2]
Enterprise T1003.001 LSASS Memory Sub-technique

FIN13 has obtained memory dumps with ProcDump to parse and extract credentials from a victim's LSASS process memory with Mimikatz.[1][2]
Enterprise T1564.001 Hidden Files and Directories Sub-technique

FIN13 has created hidden files and folders within a compromised Linux system `/tmp` directory. FIN13 also has used `attrib.exe` to hide gathered local host information.[1][2]
Enterprise T1552.001 Credentials In Files Sub-technique

FIN13 has obtained administrative credentials by browsing through local files on a compromised machine.[2]
Enterprise T1657 Financial Theft

FIN13 has observed the victim's software and infrastructure over several months to understand the technical process of legitimate financial transactions, prior to attempting to conduct fraudulent transactions.[2]
Enterprise T1588.002 Tool Sub-technique

FIN13 has utilized publicly available tools such as Mimikatz, Impacket, PWdump7, ProcDump, Nmap, and Incognito V2 for targeting efforts.[2]
Enterprise T1134.003 Make and Impersonate Token Sub-technique

FIN13 has utilized tools such as Incognito V2 for token manipulation and impersonation.[2]
Enterprise T1105 Ingress Tool Transfer

FIN13 has downloaded additional tools and malware to compromised systems.[1][2]
Enterprise T1071.001 Web Protocols Sub-technique

FIN13 has used HTTP requests to chain multiple web shells and to contact actor-controlled C2 servers prior to exfiltrating stolen data.[1][2]
Enterprise T1550.002 Pass the Hash Sub-technique

FIN13 has used the PowerShell utility `Invoke-SMBExec` to execute the pass the hash method for lateral movement within an compromised environment.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

FIN13 has leveraged `xp_cmdshell` and Windows Command Shell to execute commands on a compromised machine. FIN13 has also attempted to leverage the ‘xp_cmdshell’ SQL procedure to execute remote commands on internal MS-SQL servers.[1][2]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

FIN13 has used Windows Registry run keys such as, `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\hosts` to maintain persistence.[1]
Enterprise T1016.001 Internet Connection Discovery Sub-technique

FIN13 has used `Ping` and `tracert` for network reconnaissance efforts.[1]
Enterprise T1036 Masquerading

FIN13 has masqueraded staged data by using the Windows certutil utility to generate fake Base64 encoded certificates with the input file.[1][2]
Enterprise T1059.005 Visual Basic Sub-technique

FIN13 has used VBS scripts for code execution on comrpomised machines.[2]
Enterprise T1098.007 Additional Local or Domain Groups Sub-technique

FIN13 has assigned newly created accounts the sysadmin role to maintain persistence.[2]
Enterprise T1574.001 DLL Sub-technique

FIN13 has used IISCrack.dll as a side-loading technique to load a malicious version of httpodbc.dll on old IIS Servers (CVE-2001-0507).[2]
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

FIN13 has remotely accessed compromised environments via Remote Desktop Services (RDS) for lateral movement.[1]
Enterprise T1590.004 Network Topology Sub-technique

FIN13 has searched for infrastructure that can provide remote access to an environment for targeting efforts.[1]
Enterprise T1135 Network Share Discovery

FIN13 has executed net view commands for enumeration of open shares on compromised machines.[1][2]
Enterprise T1560.001 Archive via Utility Sub-technique

FIN13 has compressed the dump output of compromised credentials with a 7zip binary.[2]
Enterprise T1140 Deobfuscate/Decode Files or Information

FIN13 has utilized `certutil` to decode base64 encoded versions of custom malware.[1]
Enterprise T1556 Modify Authentication Process

FIN13 has replaced legitimate KeePass binaries with trojanized versions to collect passwords from numerous applications.[1]
Enterprise T1047 Windows Management Instrumentation

FIN13 has utilized `WMI` to execute commands and move laterally on compromised Windows machines.[1][2]
Enterprise T1021.004 SSH Sub-technique

FIN13 has remotely accessed compromised environments via secure shell (SSH) for lateral movement.[1]
Enterprise T1074.001 Local Data Staging Sub-technique

FIN13 has utilized the following temporary folders on compromised Windows and Linux systems for their operations prior to exfiltration: `C:\Windows\Temp` and `/tmp`.[1][2]
Enterprise T1056.001 Keylogging Sub-technique

FIN13 has logged the keystrokes of victims to escalate privileges.[1]
Enterprise T1036.005 Match Legitimate Resource Name or Location Sub-technique

FIN13 has masqueraded WAR files to look like legitimate packages such as, wsexample.war, wsexamples.com, examples.war, and exampl3s.war.[2]
Enterprise T1049 System Network Connections Discovery

FIN13 has used `netstat` and other net commands for network reconnaissance efforts.[1]
Enterprise T1083 File and Directory Discovery

FIN13 has used the Windows `dir` command to enumerate files and directories in a victim's network.[1]
Enterprise T1005 Data from Local System

FIN13 has gathered stolen credentials, sensitive data such as point-of-sale (POS), and ATM data from a compromised network before exfiltration.[1][2]
Enterprise T1069 Permission Groups Discovery

FIN13 has enumerated all users and roles from a victim's main treasury system.[1]
Enterprise T1087 Account Discovery

FIN13 has enumerated all users and their roles from a victim's main treasury system.[1]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0357: Impacket

Impacket is an open source collection of modules written in Python for programmatically constructing and manipulating network protocols. Impacket contains several tools for remote service execution, Kerberos manipulation, Windows credential dumping, packet sniffing, and relay attacks.[1]

LinuxmacOSWindows
Tool Enterprise

S0002: Mimikatz

Mimikatz is a credential dumper capable of obtaining plaintext Windows account logins and passwords, along with many other features that make it useful for testing the security of networks. [1] [2]

Windows
Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Tool Enterprise

S0160: certutil

certutil is a command-line utility that can be used to obtain certificate authority information and configure Certificate Services. [1]

Windows
Relationship explorer

All related ATT&CK context

uses · Tool S0357: Impacket Enterprise uses · Technique T1587.001: Malware Enterprise uses · Technique T1078.001: Default Accounts Enterprise uses · Technique T1572: Protocol Tunneling Enterprise uses · Technique T1021.006: Windows Remote Management Enterprise uses · Technique T1133: External Remote Services Enterprise uses · Technique T1087.002: Domain Account Enterprise uses · Technique T1046: Network Service Discovery Enterprise uses · Technique T1505.003: Web Shell Enterprise uses · Technique T1082: System Information Discovery Enterprise uses · Technique T1016: System Network Configuration Discovery Enterprise uses · Technique T1090.001: Internal Proxy Enterprise uses · Technique T1565: Data Manipulation Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1136.001: Local Account Enterprise uses · Technique T1003.002: Security Account Manager Enterprise uses · Technique T1003.003: NTDS Enterprise uses · Technique T1190: Exploit Public-Facing Application Enterprise uses · Technique T1589: Gather Victim Identity Information Enterprise uses · Technique T1036.004: Masquerade Task or Service Enterprise uses · Technique T1021.002: SMB/Windows Admin Shares Enterprise uses · Technique T1003.001: LSASS Memory Enterprise uses · Technique T1564.001: Hidden Files and Directories Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.0
Created
Modified
Raw hash
4509347cd8c76c49...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.0 Current bundle 4509347cd8c7…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    Mandiant FIN13 Aug 2022

    Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023.

    Open source URL
  2. [2]
    Sygnia Elephant Beetle Jan 2022

    Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023.

    Open source URL
  3. [3]
    Elephant Beetle

    (Citation: Sygnia Elephant Beetle Jan 2022)

  4. [4]
    mitre-attack G1016
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use