{ "id": "42491d7f-0eaa-461c-a59c-50f56cd82dff", "created_at": "2026-04-06T00:15:33.254247Z", "updated_at": "2026-04-10T03:33:53.531014Z", "deleted_at": null, "sha1_hash": "055ba19adf2555a8191068020526947cad083822", "title": "Mandiant Red Team Emulates FIN11 Tactics To Control Operational Technology Servers | Mandiant", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 961068, "plain_text": "Mandiant Red Team Emulates FIN11 Tactics To Control\r\nOperational Technology Servers | Mandiant\r\nBy Mandiant\r\nPublished: 2022-07-26 · Archived: 2026-04-05 13:53:38 UTC\r\nWritten by: Thibault Van Geluwe de Berlaere, Jay Christiansen, Daniel Kapellmann Zafra, Ken Proska, Keith\r\nLunden\r\nDuring the last couple of years, ransomware incidents have impacted thousands of industrial and critical\r\ninfrastructure organizations. In some cases, Mandiant has observed how these intrusions disrupt industrial\r\nproduction chains and operational workflows as a method to incentivize the payment of ransoms. Although in\r\nmost cases victims have suffered damages exclusively restricted to enterprise systems, this does not mean that\r\noperational technology (OT) systems are not at risk.\r\nThe nature of OT technology and the challenges of defending it means that many OT networks have security gaps\r\nthat even less sophisticated actors can leverage. Furthermore, Mandiant has consistently highlighted that some\r\nfinancially motivated groups continue to deploy the same or similar tools and techniques as those used by\r\nadvanced persistent threats (APTs) during high-profile cyber physical incidents.\r\nIn this blog, we describe an engagement where a Mandiant Red Team targeted a European engineering\r\norganization to understand the potential reach ransomware operators could have in their network. Our Red Team\r\nemulated the techniques used by FIN11, a financially motivated threat group that has conducted long-running\r\nransomware distribution campaigns across multiple industries. Using FIN11’s techniques to move from a\r\ncorporate endpoint with regular employee credentials, obtain domain administrator rights, steal critical data, and\r\ngain access to OT servers.\r\nRansomware Actors Have Proven Capabilities to Access OT\r\nIn 2020, Mandiant released a post describing how financial crime actors were expanding their reach into OT. Our\r\nassessment was based upon two process kill-lists that were deployed alongside known ransomware strains to\r\namplify the impact of the attacks. These lists were intended to enumerate and terminate software processes, a\r\ncouple of which were coincidentally related to OT. While there is limited documented information to determine\r\nthe impact from these process lists, our assessment indicated that by stopping such processes the actor could have\r\nabruptly terminated and encrypted critical OT functions resulting in added damage to the victim.\r\nOne of the two process kill lists was deployed alongside a CLOP ransomware sample, which we then attributed to\r\na cybercrime actor known as FIN11. The group has monetized their operations using point-of-sale (POS) malware,\r\nCLOP ransomware, and traditional extortion.\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 1 of 10\n\nFIN11 has shown no indication of having specialized OT expertise and there is no evidence indicating that the\r\nprocess kill list they deployed resulted in significant impacts to any victim OT environments. However, the actor’s\r\nuse of a process kill list containing some OT processes brings up further questions about the extent of their\r\ncapabilities and how they might impact OT in the future.\r\nIn the past, financially motivated actors—such as FIN11—have used tactics, techniques and procedures (TTPs)\r\nthat are comparable to those used by state-sponsored actors to support the early stages of the OT targeted attack\r\nlifecycle. This includes using publicly available tooling, living –off-the-land techniques, known exploitation\r\nframeworks, and tailored malware to compromise victims.\r\nFigure 1 illustrates some overlaps in techniques used during the TRITON and INDUSTROYER incidents with\r\ntechniques used by FIN11 and another cybercrime actor, FIN6 for ransomware deployment and extortion and\r\nretail card theft.\r\nFigure 1: TTP overlaps among state-sponsored and financially motivated actors\r\nThe overlaps in TTPs across the four cases likely exist because reaching target assets—both in IT and OT—often\r\nrequires an actor to follow a process of lateral movement and escalation of privileges across corporate and/or\r\nproduction networks. As ransomware operators have significantly evolved over the past couple of years, the main\r\ndifference that remains is that some state-sponsored actors have also invested significant resources to develop OT-tailored payloads to disrupt physical processes.\r\nMandiant Red Team Used FIN11 Techniques to Move Across a Target's Enterprise Network and\r\nReach OT Servers\r\nThe MandiantRed Team supported a European engineering organization to visualize the possible impact of a\r\nfinancially motivated actor deploying ransomware in their environment. The engagement pursued three goals, all\r\nof which were successfully accomplished:\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 2 of 10\n\nEmulate a ransomware attacker in the IT environment\r\nPropagate from IT to separate OT network segments\r\nEmulate multi-faceted extortion by accessing confidential information to steal and redistribute\r\nFigure 2 illustrates the two paths Mandiant pursued to reach OT targets:\r\nFigure 2: Red Team attack path using FIN11 techniques\r\nFor this engagement, Mandiant adopted an \"assumed breach\" approach, starting from a standard employee\r\naccount and device on the target's enterprise domain. Mandiant then utilized commonly seen FIN11 techniques to\r\ncontinue the intrusion moving across endpoints in different security zones (see the Appendix). Some of the\r\ntechniques we used to achieve our objectives in IT and OT included:\r\nReconnaissance of web and internal applications\r\nMandiant discovered several documents that contained cleartext credentials, information on IT\r\narchitecture, network information, and other confidential data on internal shares and knowledge\r\nsharing web applications and wikis.\r\nReconnaissance of Active Directory infrastructure\r\nMandiant used a variation of the public tool BloodHound to gather user, group, group policy objects\r\n(GPO), and machine information to build up data structures that describe the target's Active\r\nDirectory (AD) infrastructure. Mandiant then encrypted and exfiltrated this information to track\r\ncompromised users and strategize the next steps for the attack.\r\nPrivilege escalation through CVE-2021-36934, aka \"SeriousSAM\"\r\nMandiant discovered a number of devices vulnerable to CVE-2021-36934. Exploiting this\r\nvulnerability, Mandiant downloaded the Security Account Manager (SAM) databases of these\r\ndevices and utilized the Impacket library to extract secrets from it, including the password hashes\r\nfor local accounts, computer account passwords, and cached domain credentials.\r\nLateral movement through silver ticket\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 3 of 10\n\nMandiant forged Silver tickets – Kerberos Ticket Granting Service (TGS) tickets necessary for user\r\nauthentication – using the ticketer.py script from the Impacket library. This enabled the Red Team to\r\nimpersonate any user on the victim service (including administrative accounts) to escalate privileges\r\non specific endpoints in the IT network.\r\nPrivilege escalation through Active Directory Certificate Services abuse\r\nMandiant discovered that the target's AD Certificate Services (CS) configuration contained at least\r\none misconfiguration in a Certificate Template, which allowed the requesting entity to request\r\ncertificates for other principals in the target's AD domains. Mandiant enumerated the AD CS\r\nconfiguration using the public Certify tool.\r\nPivoting to OT on Multiple Fronts\r\nUsing the information and privileges gathered through the enterprise network compromises, Mandiant identified\r\nthe best paths to reach the target OT servers. Mandiant focused on reaching two different specific targets: an\r\nisolated legacy OT network and a global OT network with connections across different regions.\r\nOT Compromise #1 – Establish Foothold and Privilege Escalation in Legacy OT Network\r\nFigure 3: Red Team attack path for OT Compromise #1\r\nMandiant used the same credentials and documentation acquired during initial phases in the corporate network to\r\ngain access to remote management software installed on a host with access to the OT network. Mandiant then\r\nenumerated the host's network defenses and observed that it did not utilize SSL/TLS inspection, which allowed\r\nthe Red Team to launch an implant that utilized domain fronting as a means for command and control (C\u0026C).\r\nFurther network enumeration uncovered that the account accessed via the remote management software also had\r\nadministrative privileges on other hosts in the OT network. Mandiant used the remote desktop protocol (RDP) to\r\naccess multiple hosts, enumerate their defenses, and upload a custom crafted C\u0026C implant payload via Server\r\nMessage Block (SMB) protocol and RDP. Mandiant then executed these payloads via remote service creation,\r\nWindows Management Instrumentation (WMI) command execution, and manual execution. Given that these\r\nprotocols and services were also being utilized by legitimate users, it is unlikely that such activity would raise any\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 4 of 10\n\nalerts, making the lateral movement blend into background traffic and decreasing the likelihood of discovery by\r\nnetwork sensors.\r\nIn total, Mandiant accessed eight servers within the OT network, one of which was a Human Machine Interface\r\n(HMI). Access to this system would allow an attacker to maliciously interact with the physical control process\r\nusing native commands. Once Mandiant established a foothold and had administrative access, the focus shifted to\r\nprivilege escalation.\r\nMandiant dumped the SAM database on one of the hosts to retrieve local account password hashes, which\r\nwe cracked using a dictionary attack. This revealed the cleartext password for one of the local\r\nadministrator accounts.\r\nUtilizing local administrator credentials Mandiant created a memory dump of the Local Security Authority\r\nSubsystem Service (LSASS) process on another OT host using the Task Manager application.\r\nMandiant exfiltrated a memory dump file and retrieved the contained credentials using a specifically\r\npacked version of the public tool Mimikatz. The recovered credentials contained the NTLM hash for a\r\nDomain Administrator account on the OT network domain.\r\nMandiant then completed the objective by utilizing the Domain Administrator account password hash and\r\nexecuting our custom payload on the OT domain controller via remote service creation.\r\nOT Compromise #2: Move Laterally from IT to Global OT Network\r\nFigure 4: Red Team attack path for OT Compromise #2\r\nFor the second attack path, Mandiant escalated privileges within the target's enterprise domain with an \"AS-REP\r\nroast\" attack using the Impacket library to recover multiple user account password hashes. Mandiant cracked\r\npassword hashes using a dictionary attack, which revealed the cleartext password for one of the accounts. The user\r\naccount and credentials had RDP privileges onto an additional host, allowing Mandiant to move laterally within\r\nthe enterprise environment.\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 5 of 10\n\nThe accessed host contained engineering software, which indicated it was likely a jumphost or an application\r\nserver for engineers. Additionally, the engineering application installed on the host used shortcuts on the desktop\r\nthat pointed to batch (BAT) files in a directory writeable by non-privileged users. This allowed Mandiant to alter\r\nthe content of the BAT files to launch unauthorized applications when users clicked the shortcut on the desktop.\r\nMultiple users fell victim to this attack. One of these users was a member of several AD groups and had RDP\r\nprivileges to various OT jump hosts. Mandiant used the Rubeus tool to extract the user's Kerberos Ticket Granting\r\nTicket (TGT) from an active session on the compromised host. This allowed Mandiant to import the TGT on a\r\nsystem that was already controlled by the Red Team and then request a TGS for the \"TERMSRV/\" service, which\r\ncan be used to connect via RDP to a target host using Remote Credential Guard or Restricted Admin Mode.\r\nFinally, Mandiant launched the Remote Desktop session via the \"mstsc /remoteGuard\" command to connect to\r\nseveral OT jumphosts via RDP.\r\nTo complete the objective, Mandiant again used credentials acquired during the reconnaissance phase to\r\nauthenticate to an OT server from one of the OT jumphosts. The OT server ran a client/server-based SCADA\r\nsoftware solution which was fully accessible and already active on the machine; however due to operational\r\nimpact concerns, the Red Team refrained from interacting with the application. Access to this type of software\r\ncould potentially allow an attacker to perform in-depth reconnaissance of the OT environment, exfiltrate sensitive\r\ninformation, deploy additional payloads (e.g., ransomware), or even degrade the victim's ability to monitor or\r\ncontrol the process.\r\nRansomware Attack Emulation Provides Critical Insight on Defensive Capabilities\r\nOT systems are critical for organizations to automate production processes. As a result, they are attractive targets\r\nfor actors intending to disrupt production either for profit or to produce physical damage. The overlaps in TTPs\r\nbetween ransomware operators and OT-focused APTs suggest that protecting against ransomware operations also\r\nyields significant defenses against other impactful events, such as a cyber physical attack.\r\nAs of mid-2022 we have not observed financially motivated actors explicitly targeting OT networks to extort\r\nvictims, however we highlight that actors have carried out ransomware attacks that impacted OT processes. Actors\r\nwith access to OT assets may be empowered to disrupt the victim's control or visibility over a process in several\r\nways. OT asset owners and operators benefit from ransomware attack emulation by confronting the latest\r\nadversary TTPs, identifying vulnerabilities in their environment and improving breach detection and response\r\ncapabilities.\r\nFor more information about attack emulation and red teaming services for OT, please see our previous post on\r\nproactive security service offerings for OT. Visit our website to request more information about Mandiant services\r\nfor OT, red team assessments or threat intelligence.\r\nAppendix: FIN11 Techniques Utilized for the Red Team Engagement\r\nTTP Emulation\r\nInitial Access\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 6 of 10\n\nT1192: Spear-Phishing Link Out of Scope\r\nT1193: Spearphishing Attachment Out of Scope\r\nExecution\r\nT1047: Windows Management Instrumentation Yes\r\nT1086: PowerShell Yes\r\nT1053: Scheduled Task No\r\nT1064: Scripting Yes\r\nT1059: Command-Line Interface Yes\r\nT1035: Service Execution Yes\r\nT1204: User Execution Yes\r\nPersistence\r\nT1133: External Remote Services Out of Scope\r\nT1053: Scheduled Task No\r\nT1060: Registry Run Keys / Start Folder No\r\nT1015: Accessibility Features No\r\nT1138: Application Shimming No\r\nT1004: Winlogon Helper DLL No\r\nT1050: New Service Yes\r\nT1078: Valid Accounts Yes\r\nT1108: Redundant Access Yes\r\nPrivilege Escalation\r\nT1138: Application Shimming No\r\nT1055: Process Injection Yes\r\nT1015: Accessibility Features No\r\nT1050: New Service Yes\r\nT1053: Scheduled Task No\r\nT1078: Valid Accounts Yes\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 7 of 10\n\nT1086: Exploitation for Privilege Escalation Yes\r\nDefensive Evasion\r\nT1055: Process Injection Yes\r\nT1045: Software Packing Yes\r\nT1107: File Deletion Yes\r\nT1064: Scripting Yes\r\nT1116: Code Signing Yes\r\nT1112: Modify Registry No\r\nT1070: Indicator Removal on Host Yes\r\nT1027: Obfuscated Files or Information Yes\r\nT1202: Indirect Command Execution Yes\r\nT1090: Connection Proxy Yes\r\nT1078: Valid Accounts Yes\r\nT1140: Deobfuscate/Decode Files or Information Yes\r\nT1108: Redundant Access Yes\r\nCredential Access\r\nT1003: Credential Dumping Yes\r\nT1558: Kerberoasting Yes\r\nT1003.006: DCSync No\r\nDiscovery\r\nT1082: System Information Discovery Yes\r\nT1057: Process Discovery Yes\r\nT1063: Security Software Discovery Yes\r\nLateral Movement\r\nT1021: Remote Services Yes\r\nT1076: Remote Desktop Protocol Yes\r\nT1105: Remote File Copy Yes\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 8 of 10\n\nCollection\r\nT1125: Video Capture No\r\nT1113: Screen Capture No\r\nT1119: Automated Collection Yes\r\nT1005: Data from Local System Yes\r\nCommand and Control\r\nT1090: Connection Proxy Yes\r\nT1071: Standard Application Layer Protocol Yes\r\nT1094: Custom C2 Protocol No\r\nT1105: Remote File Copy Yes\r\nT1032: Standard Cryptographic Protocol Yes\r\nT1043: Commonly Used Port Yes\r\nT1065: Uncommonly Used Port No\r\nT1219: Remote Access Tools Yes\r\nExfiltration\r\nT1002: Data Compressed Out of Scope\r\nT1022: Data Encrypted Out of Scope\r\nT1041: Exfiltration Over C2 Channel Out of Scope\r\nT1048: Exfiltration Over Alternative Protocol Out of Scope\r\nImpact\r\nT1486: Data Encrypted for Impact Out of Scope\r\nT1529: System Shutdown/Reboot Out of Scope\r\nT1485: Data Destruction Out of Scope\r\nT1488: Disk Content Wipe Out of Scope\r\nT1489: Service Stop Out of Scope\r\nTable 1: List of FIN11 techniques used for the Red Team emulation\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 9 of 10\n\nPosted in\r\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nhttps://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.mandiant.com/resources/mandiant-red-team-emulates-fin11-tactics" ], "report_names": [ "mandiant-red-team-emulates-fin11-tactics" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "6728f306-6259-4e7d-a4ea-59586d90a47d", "created_at": "2023-01-06T13:46:39.175292Z", "updated_at": "2026-04-10T02:00:03.236282Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "TEMP.Warlock", "UNC902" ], "source_name": "MISPGALAXY:FIN11", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5e6b31a6-80e3-4e7d-8b0a-d94897ce9b59", "created_at": "2024-06-19T02:03:08.128175Z", "updated_at": "2026-04-10T02:00:03.636663Z", "deleted_at": null, "main_name": "GOLD TAHOE", "aliases": [ "Cl0P Group Identity", "FIN11 ", "GRACEFUL SPIDER ", "SectorJ04 ", "Spandex Tempest ", "TA505 " ], "source_name": "Secureworks:GOLD TAHOE", "tools": [ "Clop", "Cobalt Strike", "FlawedAmmy", "Get2", "GraceWire", "Malichus", "SDBbot", "ServHelper", "TrueBot" ], "source_id": "Secureworks", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "1db21349-11d6-4e57-805c-fb1e23a8acab", "created_at": "2022-10-25T16:07:23.630365Z", "updated_at": "2026-04-10T02:00:04.694622Z", "deleted_at": null, "main_name": "FIN11", "aliases": [ "Chubby Scorpius", "DEV-0950", "Lace Tempest", "Operation Cyclone" ], "source_name": "ETDA:FIN11", "tools": [ "AZORult", "Amadey", "AmmyyRAT", "AndroMut", "BLUESTEAL", "Cl0p", "EMASTEAL", "FLOWERPIPE", "FORKBEARD", "FRIENDSPEAK", "FlawedAmmyy", "GazGolder", "Get2", "GetandGo", "JESTBOT", "MINEBRIDGE", "MINEBRIDGE RAT", "MINEDOOR", "MIXLABEL", "Meterpreter", "NAILGUN", "POPFLASH", "PuffStealer", "Rultazo", "SALTLICK", "SCRAPMINT", "SHORTBENCH", "SLOWROLL", "SPOONBEARD", "TiniMet", "TinyMet", "VIDAR", "Vidar Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434533, "ts_updated_at": 1775792033, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/055ba19adf2555a8191068020526947cad083822.pdf", "text": "https://archive.orkl.eu/055ba19adf2555a8191068020526947cad083822.txt", "img": "https://archive.orkl.eu/055ba19adf2555a8191068020526947cad083822.jpg" } }