Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Поиск
Вход Регистрация
MITRE ATT&CK - Преступная группа FIN10
Риски
Каталоги
MITRE ATT&CK
Преступная группа
FIN10
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. (Citation: FireEye FIN10 June 2017)
ID: G0051
Associated Groups: 
Version: 1.3
Created: 14 Dec 2017
Last Modified: 17 Nov 2024

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)
Enterprise T1059 .001 Command and Scripting Interpreter: PowerShell

FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)
.003 Command and Scripting Interpreter: Windows Command Shell

FIN10 has executed malicious .bat files containing PowerShell commands.(Citation: FireEye FIN10 June 2017)

Enterprise T1070 .004 Indicator Removal: File Deletion

FIN10 has used batch scripts and scheduled tasks to delete critical system files.(Citation: FireEye FIN10 June 2017)
Enterprise T1588 .002 Obtain Capabilities: Tool

FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.(Citation: FireEye FIN10 June 2017)
Enterprise T1021 .001 Remote Services: Remote Desktop Protocol

FIN10 has used RDP to move laterally to systems in the victim environment.(Citation: FireEye FIN10 June 2017)
Enterprise T1053 .005 Scheduled Task/Job: Scheduled Task

FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)
Enterprise T1078 .003 Valid Accounts: Local Accounts

FIN10 has moved laterally using the Local Administrator account.(Citation: FireEye FIN10 June 2017)

Software
ID Name References Techniques
S0363 Empire (Citation: EmPyre) (Citation: FireEye FIN10 June 2017) (Citation: GitHub ATTACK Empire) (Citation: Github PowerShell Empire) (Citation: NCSC Joint Report Public Tools) (Citation: PowerShell Empire) Scheduled Task, Windows Management Instrumentation, Screen Capture, System Owner/User Discovery, Keylogging, Path Interception by PATH Environment Variable, Bypass User Account Control, Group Policy Discovery, Local Email Collection, Domain Account, Local Account, Windows Service, SSH, DLL, Automated Collection, Clipboard Data, Network Sniffing, Network Share Discovery, System Information Discovery, Native API, Process Injection, Timestomp, Shortcut Modification, Security Support Provider, Archive Collected Data, Credentials from Web Browsers, Path Interception by Search Order Hijacking, Group Policy Modification, Browser Information Discovery, Private Keys, Local Account, LLMNR/NBT-NS Poisoning and SMB Relay, LSASS Memory, Create Process with Token, Distributed Component Object Model, Video Capture, System Network Configuration Discovery, Accessibility Features, Command and Scripting Interpreter, Domain Account, Domain Trust Discovery, Golden Ticket, Automated Exfiltration, File and Directory Discovery, System Network Connections Discovery, Credentials In Files, Exfiltration to Code Repository, Process Discovery, Exfiltration Over C2 Channel, PowerShell, Exploitation of Remote Services, Registry Run Keys / Startup Folder, Exploitation for Privilege Escalation, SID-History Injection, Bidirectional Communication, Asymmetric Cryptography, Exfiltration to Cloud Storage, Path Interception by Unquoted Path, MSBuild, Security Software Discovery, Windows Command Shell, Silver Ticket, Command Obfuscation, Access Token Manipulation, Web Protocols, Network Service Discovery, Pass the Hash, Ingress Tool Transfer, Service Execution, Kerberoasting, Credential API Hooking, Commonly Used Port, Dylib Hijacking

References

  1. FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024.
  2. Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.