Skip to content

Hide Navigation Hide TOC

FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022)

FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. (Citation: FireEye Respond Webinar July 2017) (Citation: Mandiant FIN5 GrrCON Oct 2016) (Citation: DarkReading FireEye FIN5 Oct 2015)

Cluster A Galaxy A Cluster B Galaxy B Level
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FLIPSIDE - S0173 (0e18b800-906c-4e44-a143-b11c72b3448b) Malware FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set pwdump - S0006 (9de2308e-7bed-43a3-8e58-f194b3586700) mitre-tool 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set 1
FIN5 - G0053 (85403903-15e0-4f9f-9be4-a259ecad4022) Intrusion Set Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c) Attack Pattern SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153) mitre-tool 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Windows Credential Editor - S0005 (242f3da3-4425-4d11-8f5c-b842886da966) mitre-tool 2
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
RawPOS (80f87001-ff40-4e33-bd12-12ed1a92d1d7) Malpedia RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern RawPOS - S0169 (9752aef4-a1f3-4328-929f-b64eb0536090) Malware 2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
FLIPSIDE - S0173 (0e18b800-906c-4e44-a143-b11c72b3448b) Malware Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 2
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern pwdump - S0006 (9de2308e-7bed-43a3-8e58-f194b3586700) mitre-tool 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3