S0503: FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[1]
Analyst context for executives and security teams
FrameworkPOS matters because it is malware described by ATT&CK as targeting physical point-of-sale environments to steal payment card data. For executives and security leaders, the decision value is not just malware awareness; it is whether retail or hospitality payment environments have enough segmentation, monitoring, incident response readiness, and evidence collection to prove that card-data theft behaviors would be noticed and contained.
Executive priority
Prioritize this as a payment-data and business-continuity risk where physical POS systems are in scope. Leaders should ask whether POS networks are isolated, whether logs from POS-adjacent systems and egress points are retained, whether incident responders can quickly determine if payment data was collected or staged locally, and whether compliance evidence can support payment-card investigation and notification decisions. ATT&CK links this malware to FIN6 and to collection, discovery, staging, archiving, and exfiltration behaviors, making it relevant to SOC readiness, IR playbooks, and control validation around payment environments.
Technical view
ATT&CK provides no official detection text and no malware-specific platform list for FrameworkPOS, so defenders should validate coverage through the related behaviors: Data from Local System, Process Discovery, Local Data Staging, Archive via Custom Method, and Exfiltration Over Alternative Protocol. SOC and IR teams should focus on whether POS-connected systems generate usable endpoint, process, file, and network telemetry; whether local staging or unusual archive-like artifacts can be investigated; and whether outbound traffic from payment environments is tightly baselined. Because the object is associated with physical POS devices and payment-card theft, environment-specific baselines are essential.
Likely telemetry
- Endpoint process execution and process inventory data from POS-connected systems where available
- File creation, modification, and access telemetry for local directories that could be used for data collection or staging
- Evidence of archive, compression, encryption, or custom-packed data artifacts prior to transfer
- Network egress logs from POS segments, including protocol, destination, volume, and timing metadata
- Firewall, proxy, DNS, and other boundary-control logs capable of showing alternative-protocol exfiltration paths
Detection direction
- Do not rely on a FrameworkPOS-specific analytic unless it is locally validated; ATT&CK does not provide official detection guidance for this object.
- Map detections to the related ATT&CK behaviors: process discovery, local data access, local staging, custom archiving, and exfiltration over nonstandard or unexpected protocols.
- Tune for POS environment context: false positives may come from legitimate payment applications, maintenance tools, backups, diagnostics, or vendor support activity.
- Validate that POS network egress is baselined and that unusual destinations, protocols, or transfer volumes can be investigated quickly.
- Review whether local staging indicators would be visible if malware collected payment data before exfiltration; many gaps appear when POS endpoints have limited logging or are treated as appliances.
Mitigation priorities
- Inventory systems that run or directly support physical POS devices and define what telemetry is mandatory for investigation.
- Segment POS environments and restrict outbound communication to approved destinations and protocols.
- Harden and monitor endpoint and file-system activity on POS-supporting systems to the extent operationally feasible.
- Establish SOC playbooks for payment-data collection, local staging, archive creation, and alternative-protocol exfiltration scenarios.
- Retain network and endpoint evidence long enough to support payment-card incident response, compliance review, and legal decision-making.
Analyst notes and limits
The most useful defensive interpretation comes from the relationships: FrameworkPOS is associated with FIN6 and uses techniques covering local collection, process discovery, local staging, custom archiving, and exfiltration over alternative protocols. This supports a practical control-review path for POS environments without assuming any specific current campaign, victim exposure, or guaranteed detection method.
The supplied ATT&CK object has no official detection text, no aliases, no labels, no tactics listed directly on the malware object, and no malware-specific platforms. Platform details appear only on related techniques and should not be treated as confirmed FrameworkPOS platform coverage. Local POS architecture, logging depth, vendor constraints, and network design are required to assess real exposure and detection readiness.
FrameworkPOS
FrameworkPOS is a point of sale (POS) malware used by FIN6 to steal payment card data from sytems that run physical POS devices.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1005 | Data from Local System | FrameworkPOS can collect elements related to credit card data from process memory.CitationSentinelOne FrameworkPOS September 2019 |
| Enterprise | T1048 | Exfiltration Over Alternative Protocol | FrameworkPOS can use DNS tunneling for exfiltration of credit card data.CitationSentinelOne FrameworkPOS September 2019 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\Windows\.CitationFireEye FIN6 April 2016 |
| Enterprise | T1057 | Process Discovery | FrameworkPOS can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping.CitationSentinelOne FrameworkPOS September 2019 |
| Enterprise | T1560.003 | Archive via Custom Method Sub-technique | FrameworkPOS can XOR credit card information before exfiltration.CitationSentinelOne FrameworkPOS September 2019 |
Groups, software, and campaigns
G0037: FIN6
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | c8d4e1ab06d8… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
SentinelOne FrameworkPOS September 2019
Kremez, V. (2019, September 19). FIN6 “FrameworkPOS”: Point-of-Sale Malware Analysis & Internals. Retrieved September 8, 2020.
Open source URL -
[2]
Trinity
(Citation: SentinelOne FrameworkPOS September 2019)
-
[3]
mitre-attack S0503Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.