FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]
Techniques Used
| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1090 | .002 | 代理: External Proxy |
FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel.[2] |
| Enterprise | T1059 | 命令与脚本解释器 |
FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[2] |
|
| Enterprise | T1133 | 外部远程服务 |
FIN5 has used legitimate VPN, Citrix, or VNC credentials to maintain access to a victim environment.[1][3][2] |
|
| Enterprise | T1074 | .001 | 数据分段: Local Data Staging |
FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.[2] |
| Enterprise | T1110 | 暴力破解 |
FIN5 has has used the tool GET2 Penetrator to look for remote login and hard-coded credentials.[3][2] |
|
| Enterprise | T1078 | 有效账户 |
FIN5 has used legitimate VPN, RDP, Citrix, or VNC credentials to maintain access to a victim environment.[1][3][2] |
|
| Enterprise | T1070 | .001 | 移除指标: Clear Windows Event Logs | |
| .004 | 移除指标: File Deletion |
FIN5 uses SDelete to clean up the environment and attempt to prevent detection.[2] |
||
| Enterprise | T1119 | 自动化收集 |
FIN5 scans processes on all victim systems in the environment and uses automated scripts to pull back the results.[2] |
|
| Enterprise | T1588 | .002 | 获取能力: Tool |
FIN5 has obtained and used a customized version of PsExec, as well as use other tools such as pwdump, SDelete, and Windows Credential Editor.[2] |
| Enterprise | T1018 | 远程系统发现 |
FIN5 has used the open source tool Essential NetTools to map the network and build a list of targets.[2] |
|
Software
| ID | Name | References | Techniques |
|---|---|---|---|
| S0173 | FLIPSIDE | [2] | 协议隧道 |
| S0029 | PsExec | FIN5 uses a customized version of PsExec.[2] | 创建或修改系统进程: Windows Service, 创建账户: Domain Account, 横向工具传输, 系统服务: Service Execution, 远程服务: SMB/Windows Admin Shares |
| S0006 | pwdump | [2] | 操作系统凭证转储: Security Account Manager |
| S0169 | RawPOS | [3][2] | 从本地系统获取数据, 伪装: Masquerade Task or Service, 创建或修改系统进程: Windows Service, 归档收集数据: Archive via Custom Method, 数据分段: Local Data Staging |
| S0195 | SDelete | [2] | 数据销毁, 移除指标: File Deletion |
| S0005 | Windows Credential Editor | [3][2] | 操作系统凭证转储: LSASS Memory |