Movatterモバイル変換

[0]ホーム
URL:

  1. Home
  2. Groups
  3. FIN10

FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations.[1]

ID: G0051
Version: 1.3
Created: 14 December 2017
Last Modified: 17 November 2024
Enterprise Layer
downloadview

Techniques Used

DomainIDNameUse
EnterpriseT1547.001Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder

FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[1][2]

EnterpriseT1059.001Command and Scripting Interpreter:PowerShell

FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[1][2]

.003Command and Scripting Interpreter:Windows Command Shell

FIN10 has executed malicious .bat files containing PowerShell commands.[1]

EnterpriseT1070.004Indicator Removal:File Deletion

FIN10 has used batch scripts and scheduled tasks to delete critical system files.[1]

EnterpriseT1570Lateral Tool Transfer

FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.[1]

EnterpriseT1588.002Obtain Capabilities:Tool

FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.[1]

EnterpriseT1021.001Remote Services:Remote Desktop Protocol

FIN10 has used RDP to move laterally to systems in the victim environment.[1]

EnterpriseT1053.005Scheduled Task/Job:Scheduled Task

FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.[1][2]

EnterpriseT1033System Owner/User Discovery

FIN10 has used Meterpreter to enumerate users on remote systems.[1]

EnterpriseT1078Valid Accounts

FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.[1]

.003Local Accounts

FIN10 has moved laterally using the Local Administrator account.[1]

Software

IDNameReferencesTechniques
S0363Empire[1]Abuse Elevation Control Mechanism:Bypass User Account Control,Access Token Manipulation:SID-History Injection,Access Token Manipulation,Access Token Manipulation:Create Process with Token,Account Discovery:Domain Account,Account Discovery:Local Account,Adversary-in-the-Middle:LLMNR/NBT-NS Poisoning and SMB Relay,Application Layer Protocol:Web Protocols,Archive Collected Data,Automated Collection,Automated Exfiltration,Boot or Logon Autostart Execution:Security Support Provider,Boot or Logon Autostart Execution:Registry Run Keys / Startup Folder,Boot or Logon Autostart Execution:Shortcut Modification,Browser Information Discovery,Clipboard Data,Command and Scripting Interpreter:PowerShell,Command and Scripting Interpreter:Windows Command Shell,Command and Scripting Interpreter,Create Account:Local Account,Create Account:Domain Account,Create or Modify System Process:Windows Service,Credentials from Password Stores:Keychain,Credentials from Password Stores:Credentials from Web Browsers,Domain or Tenant Policy Modification:Group Policy Modification,Domain Trust Discovery,Email Collection:Local Email Collection,Encrypted Channel:Asymmetric Cryptography,Event Triggered Execution:Accessibility Features,Exfiltration Over C2 Channel,Exfiltration Over Web Service:Exfiltration to Code Repository,Exfiltration Over Web Service:Exfiltration to Cloud Storage,Exploitation for Privilege Escalation,Exploitation of Remote Services,File and Directory Discovery,Group Policy Discovery,Hijack Execution Flow:Path Interception by Unquoted Path,Hijack Execution Flow:Path Interception by Search Order Hijacking,Hijack Execution Flow:Path Interception by PATH Environment Variable,Hijack Execution Flow:Dylib Hijacking,Hijack Execution Flow:DLL,Indicator Removal:Timestomp,Ingress Tool Transfer,Input Capture:Keylogging,Input Capture:Credential API Hooking,Native API,Network Service Discovery,Network Share Discovery,Network Sniffing,Obfuscated Files or Information:Command Obfuscation,OS Credential Dumping:LSASS Memory,Process Discovery,Process Injection,Remote Services:Distributed Component Object Model,Remote Services:SSH,Scheduled Task/Job:Scheduled Task,Screen Capture,Software Discovery:Security Software Discovery,Steal or Forge Kerberos Tickets:Kerberoasting,Steal or Forge Kerberos Tickets:Golden Ticket,Steal or Forge Kerberos Tickets:Silver Ticket,System Information Discovery,System Network Configuration Discovery,System Network Connections Discovery,System Owner/User Discovery,System Services:Service Execution,Trusted Developer Utilities Proxy Execution:MSBuild,Unsecured Credentials:Credentials In Files,Unsecured Credentials:Private Keys,Use Alternate Authentication Material:Pass the Hash,Video Capture,Web Service:Bidirectional Communication,Windows Management Instrumentation

References

×
[8]ページ先頭
©2009-2026 Movatter.jp