S0173: FLIPSIDE
Analyst context for executives and security teams
FLIPSIDE matters because it is described as a Windows tool used to maintain access, similar to Plink, and associated with protocol tunneling. For leaders, the practical issue is not the malware name itself; it is whether the organization can see and control tunnel-style remote access that may blend with normal network traffic and preserve attacker access after initial compromise.
Executive priority
Prioritize this as an access-resilience and monitoring question: can security teams prove they collect enough endpoint and network evidence to identify unauthorized tunneling from Windows systems, especially in environments handling personally identifiable information or payment card data. The FIN5 relationship adds business relevance for hospitality, gaming, restaurant, and payment-data-heavy operations, but local exposure should be assessed from environment evidence rather than assumed.
Technical view
ATT&CK provides no dedicated detection text for FLIPSIDE, so SOC and IR teams should validate coverage around the related behavior: Protocol Tunneling for command-and-control. On Windows systems, confirm visibility into process execution and network activity sufficient to spot unexpected tunneling tools or Plink-like remote access patterns, then correlate host activity with proxy, firewall, and DNS records. Treat this as behavior-driven detection rather than signature-only coverage for the FLIPSIDE name.
Likely telemetry
- Windows process execution events, including executable path, command line, user, parent process, and host context
- Endpoint network connection telemetry from Windows systems
- Proxy, firewall, and egress filtering logs showing outbound connections and destinations
- DNS query logs associated with suspected tunneling activity
- EDR or endpoint security alerts related to remote access tools, tunneling, or unusual network behavior
Detection direction
- Validate detections for unauthorized protocol tunneling and Plink-like remote access behavior rather than relying on the FLIPSIDE name alone.
- Baseline legitimate administrative tunneling and remote access usage to reduce false positives and expose unmanaged exceptions.
- Correlate Windows process telemetry with network egress records; either source alone may be insufficient.
- Review blind spots where endpoint logging is absent, proxy visibility is bypassed, or encrypted/tunneled traffic is allowed without destination or process context.
- Use the FIN5 relationship as threat-intelligence context for prioritization, not as proof of attribution in an incident.
Mitigation priorities
- Inventory and govern approved remote access and tunneling tools on Windows systems.
- Restrict unauthorized egress paths and require business justification for tunneling-capable utilities.
- Ensure endpoint and network logging are retained long enough to support incident response reconstruction.
- Harden administrative access practices so tunnel creation requires accountable, monitored identities.
- Document detection and control evidence for compliance programs where payment card or personal data environments are in scope.
Analyst notes and limits
The official ATT&CK entry is sparse: FLIPSIDE is described as a simple Plink-like tool used by FIN5 to maintain access, and the relationship context maps it to Protocol Tunneling. That makes the defensive value primarily behavioral: validate whether the organization can detect and investigate unauthorized tunneling from Windows hosts.
No official ATT&CK detection guidance, aliases, labels, or object-level tactics were provided. The assessment should not be treated as evidence of active exploitation, current FIN5 activity, or confirmed exposure in any environment without local telemetry and incident evidence.
FLIPSIDE
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1572 | Protocol Tunneling | FLIPSIDE uses RDP to tunnel traffic from a victim environment.CitationMandiant FIN5 GrrCON Oct 2016 |
Groups, software, and campaigns
G0053: FIN5
FIN5 is a financially motivated threat group that has targeted personally identifiable information and payment card information. The group has been active since at least 2008 and has targeted the restaurant, gaming, and hotel industries. The group is made up of actors who likely speak Russian. [1] [2] [3]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.1 | Current bundle | 6a66428a02ec… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Mandiant FIN5 GrrCON Oct 2016
Bromiley, M. and Lewis, P. (2016, October 7). Attacking the Hospitality and Gaming Industries: Tracking an Attacker Around the World in 7 Years. Retrieved October 6, 2017.
Open source URL -
[2]
FLIPSIDE
(Citation: Mandiant FIN5 GrrCON Oct 2016)
-
[3]
mitre-attack S0173Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.