FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. [1]

ID: G0051
Version: 1.3
Created: 14 December 2017
Last Modified: 26 May 2021

Techniques Used

Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[1][2]

Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[1][2]

.003 Command and Scripting Interpreter: Windows Command Shell

FIN10 has executed malicious .bat files containing PowerShell commands.[1]

Enterprise T1070 .004 Indicator Removal on Host: File Deletion

FIN10 has used batch scripts and scheduled tasks to delete critical system files.[1]

Enterprise T1570 Lateral Tool Transfer

FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.[1]

Enterprise T1588 .002 Obtain Capabilities: Tool

FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.[1]

Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN10 has used RDP to move laterally to systems in the victim environment.[1]

Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.[1][2]

Enterprise T1033 System Owner/User Discovery

FIN10 has used Meterpreter to enumerate users on remote systems.[1]

Enterprise T1078 Valid Accounts

FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.[1]

.003 Local Accounts

FIN10 has moved laterally using the Local Administrator account.[1]

Software

ID Name References Techniques
S0363 Empire [1] Abuse Elevation Control Mechanism: Bypass User Account Control, Access Token Manipulation, Access Token Manipulation: SID-History Injection, Access Token Manipulation: Create Process with Token, Account Discovery: Domain Account, Account Discovery: Local Account, Adversary-in-the-Middle: LLMNR/NBT-NS Poisoning and SMB Relay, Application Layer Protocol: Web Protocols, Archive Collected Data, Boot or Logon Autostart Execution: Shortcut Modification, Boot or Logon Autostart Execution: Security Support Provider, Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, Browser Bookmark Discovery, Clipboard Data, Command and Scripting Interpreter, Command and Scripting Interpreter: Windows Command Shell, Command and Scripting Interpreter: PowerShell, Commonly Used Port, Create Account: Domain Account, Create Account: Local Account, Create or Modify System Process: Windows Service, Credentials from Password Stores: Credentials from Web Browsers, Domain Policy Modification: Group Policy Modification, Domain Trust Discovery, Email Collection: Local Email Collection, Encrypted Channel: Asymmetric Cryptography, Event Triggered Execution: Accessibility Features, Exfiltration Over C2 Channel, Exfiltration Over Web Service: Exfiltration to Cloud Storage, Exfiltration Over Web Service: Exfiltration to Code Repository, Exploitation for Privilege Escalation, Exploitation of Remote Services, File and Directory Discovery, Group Policy Discovery, Hijack Execution Flow: Path Interception by Search Order Hijacking, Hijack Execution Flow: Path Interception by PATH Environment Variable, Hijack Execution Flow: Path Interception by Unquoted Path, Hijack Execution Flow: DLL Search Order Hijacking, Hijack Execution Flow: Dylib Hijacking, Indicator Removal on Host: Timestomp, Ingress Tool Transfer, Input Capture: Credential API Hooking, Input Capture: Keylogging, Native API, Network Service Discovery, Network Share Discovery, Network Sniffing, Obfuscated Files or Information, OS Credential Dumping: LSASS Memory, Process Discovery, Process Injection, Remote Services: Distributed Component Object Model, Remote Services: SSH, Scheduled Task/Job: Scheduled Task, Screen Capture, Software Discovery: Security Software Discovery, Steal or Forge Kerberos Tickets: Golden Ticket, Steal or Forge Kerberos Tickets: Kerberoasting, Steal or Forge Kerberos Tickets: Silver Ticket, System Information Discovery, System Network Configuration Discovery, System Network Connections Discovery, System Services: Service Execution, Trusted Developer Utilities Proxy Execution: MSBuild, Unsecured Credentials: Private Keys, Unsecured Credentials: Credentials In Files, Use Alternate Authentication Material: Pass the Hash, Video Capture, Web Service: Bidirectional Communication, Windows Management Instrumentation

References