Skip to content

G0051 FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. 1

Item Value
ID G0051
Associated Names
Version 1.3
Created 14 December 2017
Last Modified 26 May 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.12
enterprise T1059.003 Windows Command Shell FIN10 has executed malicious .bat files containing PowerShell commands.1
enterprise T1070 Indicator Removal on Host -
enterprise T1070.004 File Deletion FIN10 has used batch scripts and scheduled tasks to delete critical system files.1
enterprise T1570 Lateral Tool Transfer FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol FIN10 has used RDP to move laterally to systems in the victim environment.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.12
enterprise T1033 System Owner/User Discovery FIN10 has used Meterpreter to enumerate users on remote systems.1
enterprise T1078 Valid Accounts FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.1
enterprise T1078.003 Local Accounts FIN10 has moved laterally using the Local Administrator account.1


ID Name References Techniques
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Shortcut Modification:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Browser Bookmark Discovery Clipboard Data Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter PowerShell:Command and Scripting Interpreter Commonly Used Port Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Cloud Storage:Exfiltration Over Web Service Exfiltration to Code Repository:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Timestomp:Indicator Removal on Host Ingress Tool Transfer Credential API Hooking:Input Capture Keylogging:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Golden Ticket:Steal or Forge Kerberos Tickets Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Private Keys:Unsecured Credentials Credentials In Files:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation


Back to top