Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа FIN10
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
FIN10
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)
ID: G0051
Associated Groups: 
Version: 1.3
Created: 14 Dec 2017
Last Modified: 26 May 2021

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)
.003 Command and Scripting Interpreter: Windows Command Shell

FIN10 has executed malicious .bat files containing PowerShell commands.(Citation: FireEye FIN10 June 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

FIN10 has used batch scripts and scheduled tasks to delete critical system files.(Citation: FireEye FIN10 June 2017)
Enterprise T1588 .002 Obtain Capabilities: Tool

FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.(Citation: FireEye FIN10 June 2017)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN10 has used RDP to move laterally to systems in the victim environment.(Citation: FireEye FIN10 June 2017)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)
Enterprise T1078 .003 Valid Accounts: Local Accounts

FIN10 has moved laterally using the Local Administrator account.(Citation: FireEye FIN10 June 2017)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: FireEye FIN10 June 2017) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Video Capture, Distributed Component Object Model, LLMNR/NBT-NS Poisoning and SMB Relay, System Network Configuration Discovery, PowerShell, Domain Trust Discovery, Keylogging, Obfuscated Files or Information, Local Account, Screen Capture, Network Service Discovery, Credentials In Files, Archive Collected Data, Group Policy Modification, Exfiltration Over C2 Channel, Commonly Used Port, System Information Discovery, Clipboard Data, Exploitation for Privilege Escalation, Automated Exfiltration, Accessibility Features, Automated Collection, Group Policy Discovery, Domain Account, Security Support Provider, SSH, Kerberoasting, SID-History Injection, Path Interception by Unquoted Path, Registry Run Keys / Startup Folder, Network Share Discovery, Path Interception by Search Order Hijacking, Golden Ticket, Exploitation of Remote Services, Service Execution, Exfiltration to Code Repository, File and Directory Discovery, Credential API Hooking, Path Interception by PATH Environment Variable, Native API, Windows Management Instrumentation, Process Injection, Pass the Hash, Browser Bookmark Discovery, MSBuild, Private Keys, Exfiltration to Cloud Storage, Web Protocols, Access Token Manipulation, Network Sniffing, Local Email Collection, Windows Command Shell, Bidirectional Communication, Credentials from Web Browsers, Security Software Discovery, Local Account, Dylib Hijacking, System Network Connections Discovery, Scheduled Task, LSASS Memory, Asymmetric Cryptography, Create Process with Token, Windows Service, Command and Scripting Interpreter, Process Discovery, Ingress Tool Transfer, Timestomp, Shortcut Modification, DLL Search Order Hijacking, Domain Account, System Owner/User Discovery, Bypass User Account Control, Silver Ticket

References

  1. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017.
  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.