Hide Navigation Hide TOC

TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	1
Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	1
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	1
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	1
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92)	Attack Pattern	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
MimiPenguin - S0179 (5a33468d-844d-4b1f-98c9-0e786c556b27)	mitre-tool	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	1
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120)	Attack Pattern	1
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Linux and Mac File and Directory Permissions Modification - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Storage Object Discovery - T1619 (8565825b-21c8-4518-b75e-cbc4c717a156)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92)	Attack Pattern	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	2
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	MimiPenguin - S0179 (5a33468d-844d-4b1f-98c9-0e786c556b27)	mitre-tool	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	2
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120)	Attack Pattern	2
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	3
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	3