Skip to content

G0051 FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. 1

Item Value
ID G0051
Associated Names
Version 1.3
Created 14 December 2017
Last Modified 26 May 2021
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1547 Boot or Logon Autostart Execution -
enterprise T1547.001 Registry Run Keys / Startup Folder FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.12
enterprise T1059 Command and Scripting Interpreter -
enterprise T1059.001 PowerShell FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.12
enterprise T1059.003 Windows Command Shell FIN10 has executed malicious .bat files containing PowerShell commands.1
enterprise T1070 Indicator Removal -
enterprise T1070.004 File Deletion FIN10 has used batch scripts and scheduled tasks to delete critical system files.1
enterprise T1570 Lateral Tool Transfer FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.1
enterprise T1588 Obtain Capabilities -
enterprise T1588.002 Tool FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.1
enterprise T1021 Remote Services -
enterprise T1021.001 Remote Desktop Protocol FIN10 has used RDP to move laterally to systems in the victim environment.1
enterprise T1053 Scheduled Task/Job -
enterprise T1053.005 Scheduled Task FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.12
enterprise T1033 System Owner/User Discovery FIN10 has used Meterpreter to enumerate users on remote systems.1
enterprise T1078 Valid Accounts FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.1
enterprise T1078.003 Local Accounts FIN10 has moved laterally using the Local Administrator account.1


ID Name References Techniques
S0363 Empire 1 Bypass User Account Control:Abuse Elevation Control Mechanism Access Token Manipulation SID-History Injection:Access Token Manipulation Create Process with Token:Access Token Manipulation Domain Account:Account Discovery Local Account:Account Discovery LLMNR/NBT-NS Poisoning and SMB Relay:Adversary-in-the-Middle Web Protocols:Application Layer Protocol Archive Collected Data Automated Collection Automated Exfiltration Shortcut Modification:Boot or Logon Autostart Execution Registry Run Keys / Startup Folder:Boot or Logon Autostart Execution Security Support Provider:Boot or Logon Autostart Execution Browser Information Discovery Clipboard Data PowerShell:Command and Scripting Interpreter Windows Command Shell:Command and Scripting Interpreter Command and Scripting Interpreter Domain Account:Create Account Local Account:Create Account Windows Service:Create or Modify System Process Credentials from Web Browsers:Credentials from Password Stores Group Policy Modification:Domain Policy Modification Domain Trust Discovery Local Email Collection:Email Collection Asymmetric Cryptography:Encrypted Channel Accessibility Features:Event Triggered Execution Exfiltration Over C2 Channel Exfiltration to Code Repository:Exfiltration Over Web Service Exfiltration to Cloud Storage:Exfiltration Over Web Service Exploitation for Privilege Escalation Exploitation of Remote Services File and Directory Discovery Group Policy Discovery Path Interception by Search Order Hijacking:Hijack Execution Flow Dylib Hijacking:Hijack Execution Flow Path Interception by Unquoted Path:Hijack Execution Flow DLL Search Order Hijacking:Hijack Execution Flow Path Interception by PATH Environment Variable:Hijack Execution Flow Timestomp:Indicator Removal Ingress Tool Transfer Keylogging:Input Capture Credential API Hooking:Input Capture Native API Network Service Discovery Network Share Discovery Network Sniffing Command Obfuscation:Obfuscated Files or Information LSASS Memory:OS Credential Dumping Process Discovery Process Injection Distributed Component Object Model:Remote Services SSH:Remote Services Scheduled Task:Scheduled Task/Job Screen Capture Security Software Discovery:Software Discovery Kerberoasting:Steal or Forge Kerberos Tickets Silver Ticket:Steal or Forge Kerberos Tickets Golden Ticket:Steal or Forge Kerberos Tickets System Information Discovery System Network Configuration Discovery System Network Connections Discovery System Owner/User Discovery Service Execution:System Services MSBuild:Trusted Developer Utilities Proxy Execution Credentials In Files:Unsecured Credentials Private Keys:Unsecured Credentials Pass the Hash:Use Alternate Authentication Material Video Capture Bidirectional Communication:Web Service Windows Management Instrumentation