Cервис управления информационной безопасностью
Cервис управления информационной безопасностью
Вход Регистрация
MITRE ATT&CK - Преступная группа FIN5
Каталоги
MITRE ATT&CK
БДУ ФСТЭК
Новая БДУ ФСТЭК
Риски
Каталоги
MITRE ATT&CK
Преступная группа
FIN5
Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.
Подробнее
Наш канал

FIN5

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)
ID: G0053
Associated Groups: 
Version: 1.2
Created: 16 Jan 2018
Last Modified: 16 Oct 2021

Associated Group Descriptions
Name Description

Techniques Used
Domain ID Name Use
Enterprise T1074 .001 Data Staged: Local Data Staging

FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.(Citation: Mandiant FIN5 GrrCON Oct 2016)
Enterprise T1070 .001 Indicator Removal: Clear Windows Event Logs

FIN5 has cleared event logs from victims.(Citation: Mandiant FIN5 GrrCON Oct 2016)
.004 Indicator Removal: File Deletion

FIN5 uses SDelete to clean up the environment and attempt to prevent detection.(Citation: Mandiant FIN5 GrrCON Oct 2016)

Enterprise T1588 .002 Obtain Capabilities: Tool

FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.(Citation: Mandiant FIN5 GrrCON Oct 2016)
Enterprise T1090 .002 Proxy: External Proxy

FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel.(Citation: Mandiant FIN5 GrrCON Oct 2016)

Software
ID Name References Techniques
S0173 FLIPSIDE (Citation: Mandiant FIN5 GrrCON Oct 2016) Protocol Tunneling
S0005 Windows Credential Editor (Citation: Amplia WCE) (Citation: DarkReading FireEye FIN5 Oct 2015) (Citation: Mandiant FIN5 GrrCON Oct 2016) LSASS Memory
S0169 RawPOS (Citation: DarkReading FireEye FIN5 Oct 2015) (Citation: DRIFTWOOD) (Citation: DUEBREW) (Citation: FIENDCRY) (Citation: Github Mempdump) (Citation: Kroll RawPOS Jan 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: TrendMicro RawPOS April 2015) (Citation: Visa RawPOS March 2015) Masquerade Task or Service, Archive via Custom Method, Data from Local System, Local Data Staging, Windows Service
S0006 pwdump (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Wikipedia pwdump) Security Account Manager
S0195 SDelete (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Microsoft SDelete July 2016) File Deletion, Data Destruction
S0029 PsExec (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: Russinovich Sysinternals) (Citation: SANS PsExec) SMB/Windows Admin Shares, Windows Service, Lateral Tool Transfer, Service Execution, Domain Account

References

  1. Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
  2. Higgins, K. (2015, October 13). Prolific Cybercrime Gang Favors Legit Login Credentials. Retrieved October 4, 2017.
  3. Scavella, T. and Rifki, A. (2017, July 20). Are you Ready to Respond? (Webinar). Retrieved October 4, 2017.
Навигация

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.