Which MITRE ATT&CK groups are most relevant to banks and fintech?

MITRE tracks several financially motivated groups whose target lists explicitly include banks, payment processors, and fintech operators: FIN7 (G0046), FIN11 (G0140), Lazarus Group (G0032), Carbanak (G0008), MoneyTaker (G0059), and Cobalt Group (G0080). Each has a documented technique inventory on attack.mitre.org. Treat their TTP pages as the canonical adversary profile when scoping a BFSI red team or threat-led penetration test.

How does this mapping help with RBI Cyber Security Framework compliance?

The RBI Cyber Security Framework (Annex 1, baseline controls) and the 2023 Master Direction on IT Governance both require regulated entities to maintain a current threat profile and to test detective controls against it. Mapping your SOC use-cases to ATT&CK techniques observed in groups like Lazarus, FIN7, and Cobalt Group is how you evidence 'threat-informed defence' to RBI inspectors. The AxVeil RBI Cyber checklist walks through the control crosswalk.

Is PCI DSS 11.4.x satisfied by an ATT&CK-aligned engagement?

PCI DSS v4.0 requirement 11.4 explicitly calls for penetration testing methodology that includes industry-accepted approaches such as NIST SP 800-115. While PCI does not name ATT&CK, the QSA community treats ATT&CK technique coverage as strong evidence of methodology rigour, particularly for the segmentation testing (11.4.5) and internal pentest (11.4.3) requirements. ATT&CK alignment also strengthens the 11.4.7 service-provider scope requirement.

What does DORA add for European fintech targets?

The EU Digital Operational Resilience Act (DORA, in force since January 2025) mandates Threat-Led Penetration Testing (TLPT) for designated significant financial entities under the TIBER-EU methodology. TIBER-EU is built around real threat intelligence and adversary emulation, with ATT&CK as the de-facto framework for documenting techniques. If you operate cross-border into the EU, ATT&CK-mapped engagement reports are the deliverable supervisors expect.

How often should a BFSI organisation refresh its ATT&CK mapping?

Quarterly at minimum, with a major refresh after every MITRE ATT&CK Enterprise release (typically twice a year) and after every major incident in the sector. ATT&CK v16 and v17 added sub-techniques relevant to cloud identity abuse and to ransomware-as-a-service operators — both directly applicable to bank and fintech threat models. A static mapping more than 12 months old is no longer threat-informed.

MITRE ATT&CK for Financial Services — Top 30 Techniques Used Against Banks and Fintech

Published May 19, 2026 · By AxVeil Red Team · 18 min read

Banking, financial services, and insurance (BFSI) — together with payment processors, NBFCs, and the wider fintech stack — sit in the crosshairs of more financially motivated adversaries than any other vertical. The 2024 IBM Cost of a Data Breach report priced the average financial-sector breach at USD 6.08 million, second only to healthcare. For Indian banks regulated by the RBI, for issuers under SEBI's 2024 Cybersecurity and Cyber Resilience Framework (CSCRF), for EU-licensed fintechs covered by DORA, and for any merchant in PCI DSS scope, the question is no longer "will we be targeted" but "against which techniques are we measurably defended?"

This brief maps the top 30 MITRE ATT&CK Enterprise techniques observed against financial-services targets to 12 tactics, with the threat-actor citations drawn directly from the MITRE ATT&CK Groups knowledge base. Every technique is paired with a detection idea and a remediation primitive your engineering or SOC team can act on this quarter. Use it as a coverage baseline before commissioning a red team engagement or scoping a TIBER-EU style threat-led penetration test.

Threat-actor landscape in financial services

Six MITRE-tracked groups account for the bulk of public, attributable activity against banks and fintech. Each has its own technique inventory on the MITRE site — treat those URLs as the canonical adversary profile, not a vendor whitepaper.

FIN7 (G0046) — financially motivated, originally focused on point-of-sale and payment-card data theft from retail and hospitality but with documented pivots into banking. Known for CARBANAK, Griffon, and POWERSOURCE tooling.
FIN11 (G0140) — high-volume phishing, CLOP ransomware operator overlap, with documented targeting of financial services and managed file transfer infrastructure (the 2023 MOVEit / GoAnywhere campaigns hit banks downstream).
Lazarus Group (G0032) — DPRK-linked, responsible for the SWIFT-network theft from Bangladesh Bank (2016) and a continuing portfolio of cryptocurrency-exchange thefts. Detailed treatment in our Lazarus ATT&CK brief.
Carbanak (G0008) — the original bank-as-target group, named for the eponymous backdoor; technique inventory heavily skewed toward stealthy long-dwell intrusions inside core banking networks.
MoneyTaker (G0059) — Russian-speaking group active since 2016 with documented targeting of card-processing systems in US community banks and a Russian-language attack on STAR network processing.
Cobalt Group (G0080) — ATM jackpotting and SWIFT-fraud operator with a heavy CobaltStrike footprint; documented targeting across more than 40 countries.

For Indian and South Asian fintech specifically, this short-list is the right adversary baseline. Indian regulators have publicly acknowledged Lazarus-linked activity against domestic crypto exchanges and SWIFT-connected banks; the Banco de Chile and Banco de Mexico SWIFT incidents reused the Lazarus toolkit; and CLOP campaigns linked to FIN11 reached Indian financial-services downstream through MOVEit Transfer in 2023.

Initial access — T1566, T1190, T1078.004

T1566 — Phishing

By a wide margin the most common BFSI initial-access vector. FIN7 and FIN11 are heavy phishing operators; FIN7 sub-techniques include T1566.001 (Spearphishing Attachment) with macro-laden documents and ISO containers. Detection: alert on Office processes spawning cmd / wscript / powershell with a network egress within 60 seconds (parent-child anomaly). Remediation: ASR rules (Microsoft Defender attack surface reduction) blocking Office child processes; enable Mark-of-the-Web propagation for ISO / IMG / VHD containers; quarantine HTML smuggling payloads at the gateway.

T1190 — Exploit Public-Facing Application

FIN11's exploitation of MOVEit Transfer (CVE-2023-34362) and GoAnywhere MFT (CVE-2023-0669) placed thousands of banks and insurance carriers into breach-notification posture within a single quarter. Detection: external attack-surface monitoring + WAF rules backed by daily vulnerability rescans; alert on first-seen webshell paths on file-transfer hosts. Remediation: ringfence MFT systems in dedicated VLANs with no path to the core banking network; require MFT vendors to publish CVSS-rated CVE feeds in your VDP intake.

T1078.004 — Valid Accounts: Cloud Accounts

Cloud-identity abuse is the dominant ingress for fintechs running on AWS / Azure / GCP. Adversaries buy or phish IAM credentials, then ride them past perimeter controls. Detection:AWS GuardDuty CredentialAccess findings, Azure Identity Protection risk events, impossible-travel sign-ins. Remediation: enforce hardware-bound FIDO2 for every privileged role, disable long-lived access keys, require IMDSv2 on every EC2.

Execution — T1059, T1204

T1059 — Command and Scripting Interpreter

PowerShell (T1059.001) and Bash (T1059.004) dominate. Carbanak and Cobalt Group have long-documented PowerShell tradecraft on the MITRE Groups pages. Detection:Sysmon EID 1 + 4104 ScriptBlockLogging, alerting on encoded commands > 500 bytes, IEX cradles, and AMSI bypass patterns. Remediation: Constrained Language Mode for non-administrative users; PowerShell logging at module + script-block + transcription levels; remove legacy v2 engine.

T1204 — User Execution

Macro-laden attachments and HTML smuggling work because users still double-click. FIN7 ran a multi-year campaign mailing weaponised USB drives to retail and hospitality targets (FBI advisory, January 2022). Detection: block macros from internet by default (Microsoft policy since 2022); alert on Mark-of-the-Web stripping events. Remediation: least-privilege endpoints, no local admin for end users, and an internal phishing-simulation cadence quarterly with real metrics.

Persistence — T1547.001, T1098.001

T1547.001 — Registry Run Keys / Startup Folder

Carbanak and Cobalt Group both use Run keys for low-effort persistence. Detection:Sysmon EID 13 (Registry Set) on HKCU\Software\Microsoft\Windows\CurrentVersion\Run with a parent other than installer / msiexec. Remediation: attack-surface reduction rule blocking persistence through WMI subscription; baseline Run-key entries with osquery and alert on delta.

T1098.001 — Account Manipulation: Cloud Accounts

Adding additional access keys, OAuth app consent, or service-principal credentials is the modern persistence primitive in fintech cloud estates. Detection:CloudTrail CreateAccessKey or AddUserToGroup events outside change windows; Azure AuditLogs "Add app role assignment" on tenant-wide consents. Remediation: SCP / Conditional Access denying access-key creation outside a break-glass role; admin-consent workflow for any OAuth app requesting Mail.ReadWrite or Directory.ReadWrite.All.

Privilege escalation — T1548, T1078

T1548 — Abuse Elevation Control Mechanism

UAC bypasses (T1548.002), sudo abuse on Linux jump boxes (T1548.003), and cloud setuid binaries. Detection: Sysmon EID 1 with elevated integrity but no UAC consent prompt; auditd execve on sudo without TTY. Remediation:set UAC to "Always notify" on admin endpoints; remove NOPASSWD from sudoers; require just-in-time elevation via PAM tooling.

T1078 — Valid Accounts

Reused across initial access, persistence, privilege escalation, and defense evasion — by design. BFSI environments suffer disproportionately from shared service accounts with old, static passwords. Detection: service-account login from interactive sessions; logon-type 10 (RDP) with non-personal accounts. Remediation: rotate service-account credentials via a secrets manager (HashiCorp Vault, AWS Secrets Manager) with checkout / checkin auditing; enforce Group Managed Service Accounts (gMSA) on Windows.

Defense evasion — T1027, T1036, T1562.001

T1027 — Obfuscated Files or Information

VMProtect / Themida packing, XOR encoding, and PowerShell encoded commands. Lazarus and Carbanak both ship multi-stage XOR loaders. Detection:entropy-based YARA rules at the email and EDR layer; alert on PE files with .text section entropy > 7.2. Remediation: EDR with in-memory scanning (AMSI integration); deny execution from user-writable paths via WDAC / AppLocker.

T1036 — Masquerading

Adversaries rename payloads to look like legitimate binaries (svchost.exe in a user profile; chrome.exe under AppData). FIN7 has documented use of LNK files masquerading as PDFs. Detection: EDR query on processes whose name matches a system binary but path is outside System32. Remediation: WDAC publisher rules pinned to Microsoft signatures; block double-extension files at email gateway.

T1562.001 — Impair Defenses: Disable or Modify Tools

EDR-killers, including BYOVD (bring-your-own-vulnerable-driver) variants, observed across Carbanak, FIN7, and FIN11 toolsets. Detection:Sysmon EID 6 (driver loaded) cross-referenced against Microsoft's recommended driver block list; tamper-protection telemetry from the EDR itself. Remediation:enable Microsoft Vulnerable Driver Blocklist (on by default in Windows 11 22H2+); EDR tamper protection in "hard" mode; alert on uninstall events from any security agent.

Credential access — T1110, T1555.003, T1003

T1110 — Brute Force

Password-spray against Office 365, VPN portals, and exposed RDWeb. Cobalt Group is documented as a user of credential spraying against banking targets. Detection:failed-logon volume anomalies stratified per source ASN; Azure Identity Protection "password spray" risk events. Remediation: conditional access requiring phishing-resistant MFA; geo-fencing for admin portals; smart lockout for non-federated identities.

T1555.003 — Credentials from Web Browsers

Lazarus and FIN7 routinely pull stored credentials from Chrome, Edge, and Firefox profiles after obtaining an initial foothold. Detection: EDR alert on access to%LOCALAPPDATA%\Google\Chrome\User Data\Default\Login Data by non-browser processes. Remediation: enable OS-bound credentials (Windows Hello container for Chrome saved passwords); enterprise-managed browser policy disabling password saving for corporate profiles.

T1003 — OS Credential Dumping (LSASS)

The flagship sub-technique is T1003.001 — LSASS Memory. Every group in this list has used it. Detection: Sysmon EID 10 (process access) where TargetImage is lsass.exe and GrantedAccess masks include 0x1010 / 0x1410 / 0x143A. Remediation: enable LSA Protection (RunAsPPL), Credential Guard on every domain-joined endpoint that supports it, and Restricted Admin Mode for RDP.

Discovery — T1087, T1018

T1087 — Account Discovery

net user /domain, net group "Domain Admins", and LDAP queries via PowerView. Detection: Sysmon EID 1 on net.exe / dsquery.exe / ldapsearch from non-IT subnets. Remediation: deploy honeytoken accounts that page when queried; require LDAP signing + channel binding on every DC.

T1018 — Remote System Discovery

ICMP sweeps, ARP scans, and SMB enumeration are core reconnaissance once inside. Cobalt Group is documented running internal scans before pivoting to SWIFT terminals. Detection: NetFlow anomaly on east-west ICMP / SMB volume from a single endpoint; DC-side alert on excessive null-session SMB binds. Remediation: network segmentation around the SWIFT alliance, ATM-switch, and card-management environments; deny SMB / RDP between user VLANs.

Lateral movement — T1021.001, T1570

T1021.001 — Remote Desktop Protocol

RDP with harvested credentials is universal — Carbanak, Cobalt Group, FIN7 all use it once admin credentials are in hand. Detection: Event ID 4624 logon type 10 from a workstation to a server outside change-window RDP profiles; concurrent sessions across non-paired hosts. Remediation: jump-host architecture with PAM brokered access; RDP only over Network Level Authentication and Restricted Admin Mode; block lateral 3389 between workstations entirely at the host firewall.

T1570 — Lateral Tool Transfer

Adversaries push toolkits laterally over SMB admin shares. Detection: Sysmon EID 11 (FileCreate) on \\*\C$\ paths from non-IT endpoints; SMB v2 write events to ADMIN$ from workstation subnets. Remediation:disable administrative shares on workstations (LanmanServer registry "AutoShareWks"); enforce SMB signing and SMB v3 encryption.

Collection — T1056, T1005, T1213

T1056 — Input Capture

Keylogging on teller workstations and core-banking operator terminals. Carbanak deployed video recording of operator desktops to learn how to use proprietary applications before initiating transfers. Detection: EDR alert on processes calling SetWindowsHookEx with WH_KEYBOARD_LL from non-allowlisted binaries. Remediation: application-control allowlisting on teller / treasury workstations; physical-keyboard USB allowlisting via device-control policy.

T1005 — Data from Local System

Customer data lakes, CSV exports, and end-of-day reports are the obvious target. Detection:DLP rules on PAN, Aadhaar, and IBAN regexes leaving any host with abnormal volume; EDR on archive creation (7z, WinRAR) over 100 MB. Remediation: tokenise PAN at issuance and never store it in the clear outside the HSM-protected card data environment; disable removable storage on cardholder data environment endpoints.

T1213 — Data from Information Repositories

Confluence and SharePoint searches for "password", "wire instructions", "SWIFT". Detection: SharePoint / Confluence audit-log alerting on high-volume search and download by a single principal. Remediation: classification labels with rights-management on any document containing credential material; quarantine pages tagged confidential from broad-access search indexes.

Command and control — T1071.001, T1573, T1090

T1071.001 — Web Protocols

HTTPS over compromised infrastructure or domain-fronting CDNs. Every group on this list uses HTTP(S) C2. Detection: JA3 / JA4 fingerprint clustering at egress; alert on first-seen domains contacted by any internal subnet; user-agent / SNI mismatch. Remediation: TLS-terminating egress proxy with category-based blocking; outbound domain allowlisting for the SWIFT / payments segment.

T1573 — Encrypted Channel

Custom RC4 / AES layered above HTTP, or CobaltStrike's malleable C2 profiles tuned to look like Amazon or Office 365 traffic. Detection: Suricata / Zeek on JA3 hashes associated with known CobaltStrike profiles; high-entropy POST bodies to first-seen hosts. Remediation: SSL inspection at the egress on user subnets (legal review first); allowlist-only egress for production payment systems.

T1090 — Proxy

Internal proxies chained through compromised hosts. Cobalt Group and Carbanak both use multi-hop proxies inside the victim network. Detection: unexpected listener sockets on workstations (Sysmon EID 5 + netstat baselining); excessive cross-subnet TCP from a single host. Remediation: host firewall blocking inbound listeners on workstations by default; EDR alert on any new bound port.

Exfiltration — T1041, T1567

T1041 — Exfiltration Over C2 Channel

Cheapest, most common path. Detection: egress bytes-out anomalies per host stratified by hour-of-day; alert on outbound flows exceeding 95th percentile by 10x. Remediation: egress rate-limiting for non-server subnets; DLP inline-block on large archive uploads.

T1567 — Exfiltration Over Web Service

Mega.io, Dropbox, Discord webhooks, GitHub gists — all observed in FIN7 / FIN11 cases. Detection: CASB / SWG alert on uploads to consumer file-sharing categories from corporate endpoints. Remediation: tenant-pinning for sanctioned cloud services (Workspace, Microsoft 365); block consumer cloud upload categories outright for production subnets.

Impact — T1486, T1485, T1565

T1486 — Data Encrypted for Impact

Ransomware as a final stage. FIN11 has documented CLOP overlap. Detection: mass file rename / extension change events; volume-shadow-copy deletion (vssadmin delete shadows). Remediation: immutable, off-account backups (object-lock S3 or equivalent); ASR rule blocking vssadmin / wmic shadow-copy deletion; documented and rehearsed paid-or-not-paid executive decision matrix.

T1485 — Data Destruction

Wipers as a cover for theft, observed across multiple destructive Lazarus and APT-style operations. Detection: EDR alert on raw-disk writes outside disk-management binaries; rapid file-truncation patterns. Remediation: BitLocker / FileVault enforced; tested backup restoration; offline copies for golden-image rebuild.

T1565 — Data Manipulation

Stored-data manipulation is the signature of bank-network intrusions: Carbanak altered balance displays before issuing transfers; Bangladesh Bank attackers manipulated SWIFT message confirmation output. Detection: file-integrity monitoring on core-banking config files; database row-level auditing for any UPDATE on balance / settlement tables outside batch windows. Remediation: dual control on any high-value funds movement; out-of-band confirmation channel; immutable transaction logs in a system the operator cannot write to.

Mapping to regulatory frameworks

None of the major BFSI frameworks mandate ATT&CK by name, but every one of them references "threat-informed" or "adversary-emulation" testing. ATT&CK is the canonical translation layer.

RBI Cyber Security Framework (2016) and the 2023 Master Direction on IT Governance — Annex 1 baseline controls and Annex 2 adaptive controls expect entities to maintain a current threat profile and exercise detective controls against it. Walk through the crosswalk in our RBI Cyber Framework checklist.
SEBI CSCRF (2024) — applies to stock exchanges, depositories, AMCs, brokers, and other Market Infrastructure Institutions. Mandates VAPT and red teaming for high-impact entities with explicit reference to adversary-emulation methodologies. The SEBI CSCRF checklist walks the control-by-control crosswalk to ATT&CK tactics.
PCI DSS v4.0 requirement 11.4— penetration testing methodology must be industry-accepted; QSAs increasingly look for ATT&CK coverage in pentest reports as evidence of rigour, particularly for 11.4.3 internal pentest and 11.4.5 segmentation controls.
DORA + TIBER-EU (EU)— DORA mandates Threat-Led Penetration Testing for significant financial entities, executed under the TIBER-EU methodology, which uses ATT&CK as the primary technique vocabulary in the threat intelligence and red-team reports.

How red teams emulate these in BFSI engagements

A credible BFSI red team engagement reproduces a named adversary's technique chain end-to-end against the controls in place — not a generic checklist. AxVeil typically scopes an adversary simulation for banks and fintechs along three operator profiles drawn from this article:

FIN7 / FIN11 profile — phishing-led intrusion (T1566.001 + T1204.002) escalating to LSASS dump (T1003.001), lateral RDP (T1021.001) to a payment-card or treasury workstation, and exfil over web service (T1567) of a synthetic cardholder dataset.
Lazarus / Carbanak profile — supply-chain or watering-hole initial access (T1195 / T1189), long-dwell beaconing over HTTPS (T1071.001) with encrypted channel (T1573), and eventual manipulation (T1565) or simulated transfer initiation against SWIFT alliance staging.
Cobalt Group profile — public-facing exploit (T1190) on an external service, CobaltStrike implant with malleable profile, internal recon (T1018 + T1087), and ATM-switch / card-management lateral movement under change-window cover.

The deliverable is a per-technique outcome — detected / partially detected / undetected — mapped against the SOC's existing analytics, with a Sigma or Splunk SPL rule for every undetected technique. For sectoral context on how this differs from a routine penetration test, see our BFSI sector page.

Closing — what to do next week

If you are a CISO or head of security at a bank, NBFC, fintech, or payment processor and you read this far, three concrete actions for the next thirty days. First, take the 30 techniques in this article and produce a one-page detection-coverage matrix for your SOC: detected, partial, or undetected, with the underlying analytic name and platform for each. Second, commission a time-boxed adversary-emulation exercise — six to eight weeks against one of the three operator profiles above — and use the matrix as both the input scoping document and the output report card. Third, embed the resulting Sigma / SPL / KQL rules into change-control so they survive analyst turnover. The detection latency you measure in that exercise is the same latency that will play out in the real incident; close the gap before it costs you the front-page headline.

Scope an ATT&CK-aligned engagement with AxVeil.

BFSI-tuned red team and adversary simulation. RBI, SEBI CSCRF, PCI DSS, and DORA-aligned reporting.

Talk to the red team →