/
FIN10_G0051.json
1 lines (1 loc) · 2.35 KB
/
FIN10_G0051.json
1
{"description": "Enterprise techniques used by FIN10, ATT&CK group G0051 v1.0", "name": "FIN10 (G0051)", "domain": "mitre-enterprise", "version": "2.2", "techniques": [{"score": 1, "techniqueID": "T1064", "techniqueName": "Scripting", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has executed malicious .bat files containing PowerShell commands."}, {"score": 1, "techniqueID": "T1060", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has established persistence by using the Registry option in PowerShell Empire to add a Run key."}, {"score": 1, "techniqueID": "T1086", "techniqueName": "PowerShell", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) uses PowerShell for execution as well as PowerShell Empire to establish persistence."}, {"score": 1, "techniqueID": "T1053", "techniqueName": "Scheduled Task", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire."}, {"score": 1, "techniqueID": "T1107", "techniqueName": "File Deletion", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has used batch scripts and scheduled tasks to delete critical system files."}, {"score": 1, "techniqueID": "T1033", "techniqueName": "System Owner/User Discovery", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has used Meterpreter to enumerate users on remote systems."}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor. The group has also moved laterally using the Local Administrator account."}, {"score": 1, "techniqueID": "T1105", "techniqueName": "Remote File Copy", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally."}, {"score": 1, "techniqueID": "T1076", "techniqueName": "Remote Desktop Protocol", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has used RDP to move laterally to systems in the victim environment."}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FIN10", "color": "#ff6666"}]}