Skip to content

S0417 GRIFFON

GRIFFON is a JavaScript backdoor used by FIN7. 1

Item Value
ID S0417
Associated Names
Type MALWARE
Version 1.1
Created 11 October 2019
Last Modified 23 June 2020
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder GRIFFON has used a persistence module that stores the implant inside the Registry, which executes at logon.1
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.1
enterprise T1059.007 JavaScript GRIFFON is written in and executed as JavaScript.1
enterprise T1069 Permission Groups Discovery -
enterprise T1069.002 Domain Groups GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task GRIFFON has used sctasks for persistence. 1
enterprise T1113 Screen Capture GRIFFON has used a screenshot module that can be used to take a screenshot of the remote system.1
enterprise T1082 System Information Discovery GRIFFON has used a reconnaissance module that can be used to retrieve information about a victim’s computer, including the resolution of the workstation .1
enterprise T1124 System Time Discovery GRIFFON has used a reconnaissance module that can be used to retrieve the date and time of the system.1

Groups That Use This Software

ID Name References
G0046 FIN7 123

References