Hide Navigation Hide TOC

TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	1
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120)	Attack Pattern	1
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	1
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
MimiPenguin - S0179 (5a33468d-844d-4b1f-98c9-0e786c556b27)	mitre-tool	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	1
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120)	Attack Pattern	2
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	2
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Storage Object Discovery - T1619 (8565825b-21c8-4518-b75e-cbc4c717a156)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	2
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	2
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	MimiPenguin - S0179 (5a33468d-844d-4b1f-98c9-0e786c556b27)	mitre-tool	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	2
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	3
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	3
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3