G0051 FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. ¹

Item	Value
ID	G0051
Associated Names
Version	1.3
Created	14 December 2017
Last Modified	26 May 2021
Navigation Layer	View In ATT&CK® Navigator

Techniques Used

Domain	ID	Name	Use
enterprise	T1547	Boot or Logon Autostart Execution	-
enterprise	T1547.001	Registry Run Keys / Startup Folder	FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.¹²
enterprise	T1059	Command and Scripting Interpreter	-
enterprise	T1059.001	PowerShell	FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.¹²
enterprise	T1059.003	Windows Command Shell	FIN10 has executed malicious .bat files containing PowerShell commands.¹
enterprise	T1070	Indicator Removal	-
enterprise	T1070.004	File Deletion	FIN10 has used batch scripts and scheduled tasks to delete critical system files.¹
enterprise	T1570	Lateral Tool Transfer	FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.¹
enterprise	T1588	Obtain Capabilities	-
enterprise	T1588.002	Tool	FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.¹
enterprise	T1021	Remote Services	-
enterprise	T1021.001	Remote Desktop Protocol	FIN10 has used RDP to move laterally to systems in the victim environment.¹
enterprise	T1053	Scheduled Task/Job	-
enterprise	T1053.005	Scheduled Task	FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.¹²
enterprise	T1033	System Owner/User Discovery	FIN10 has used Meterpreter to enumerate users on remote systems.¹
enterprise	T1078	Valid Accounts	FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.¹
enterprise	T1078.003	Local Accounts	FIN10 has moved laterally using the Local Administrator account.¹

Software

ID	Name	References	Techniques
S0363	Empire	¹	Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation

References

FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. ↩↩↩↩↩↩↩↩↩↩↩↩↩
Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. ↩↩↩