/
FIN10_G0051.json
1 lines (1 loc) · 2.95 KB
/
FIN10_G0051.json
1
{"description": "Enterprise techniques used by FIN10, ATT&CK group G0051 v1.0", "name": "FIN10 (G0051)", "domain": "mitre-enterprise", "version": "3.0", "techniques": [{"score": 1, "techniqueID": "T1078.003", "techniqueName": "Local Accounts", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has moved laterally using the Local Administrator account.(Citation: FireEye FIN10 June 2017)"}, {"score": 1, "techniqueID": "T1059.001", "techniqueName": "PowerShell", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) uses PowerShell for execution as well as PowerShell Empire to establish persistence.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)"}, {"score": 1, "techniqueID": "T1059.003", "techniqueName": "Windows Command Shell", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has executed malicious .bat files containing PowerShell commands.(Citation: FireEye FIN10 June 2017)"}, {"score": 1, "techniqueID": "T1033", "techniqueName": "System Owner/User Discovery", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has used Meterpreter to enumerate users on remote systems.(Citation: FireEye FIN10 June 2017)"}, {"score": 1, "techniqueID": "T1070.004", "techniqueName": "File Deletion", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has used batch scripts and scheduled tasks to delete critical system files.(Citation: FireEye FIN10 June 2017)"}, {"score": 1, "techniqueID": "T1547.001", "techniqueName": "Registry Run Keys / Startup Folder", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has established persistence by using the Registry option in PowerShell Empire to add a Run key.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)"}, {"score": 1, "techniqueID": "T1078", "techniqueName": "Valid Accounts", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.(Citation: FireEye FIN10 June 2017)"}, {"score": 1, "techniqueID": "T1053.005", "techniqueName": "Scheduled Task", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.(Citation: FireEye FIN10 June 2017)(Citation: Github PowerShell Empire)"}, {"score": 1, "techniqueID": "T1021.001", "techniqueName": "Remote Desktop Protocol", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has used RDP to move laterally to systems in the victim environment.(Citation: FireEye FIN10 June 2017)"}, {"score": 1, "techniqueID": "T1570", "techniqueName": "Lateral Tool Transfer", "comment": "[FIN10](https://attack.mitre.org/groups/G0051) has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.(Citation: FireEye FIN10 June 2017)"}], "gradient": {"colors": ["#ffffff", "#ff6666"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by FIN10", "color": "#ff6666"}]}