FIN5
Associated Group Descriptions |
|
| Name | Description |
|---|---|
Techniques Used |
||||
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1074 | .001 | Data Staged: Local Data Staging |
FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
| Enterprise | T1070 | .001 | Indicator Removal: Clear Windows Event Logs |
FIN5 has cleared event logs from victims.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
| .004 | Indicator Removal: File Deletion |
FIN5 uses SDelete to clean up the environment and attempt to prevent detection.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
||
| Enterprise | T1588 | .002 | Obtain Capabilities: Tool |
FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
| Enterprise | T1090 | .002 | Proxy: External Proxy |
FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel.(Citation: Mandiant FIN5 GrrCON Oct 2016) |
Software |
|||
| ID | Name | References | Techniques |
|---|---|---|---|
| S0173 | FLIPSIDE | (Citation: Mandiant FIN5 GrrCON Oct 2016) | Protocol Tunneling |
| S0005 | Windows Credential Editor | (Citation: Amplia WCE) (Citation: DarkReading FireEye FIN5 Oct 2015) (Citation: Mandiant FIN5 GrrCON Oct 2016) | LSASS Memory |
| S0169 | RawPOS | (Citation: DarkReading FireEye FIN5 Oct 2015) (Citation: DRIFTWOOD) (Citation: DUEBREW) (Citation: FIENDCRY) (Citation: Github Mempdump) (Citation: Kroll RawPOS Jan 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) | Masquerade Task or Service, Archive via Custom Method, Data from Local System, Local Data Staging, Windows Service |
| S0006 | pwdump | (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Wikipedia pwdump) | Security Account Manager |
| S0195 | SDelete | (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Microsoft SDelete July 2016) | File Deletion, Data Destruction |
| S0029 | PsExec | (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) | SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account |
References
- Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
- Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
- Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017.
Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.