TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)

TeamTNT is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.(Citation: Palo Alto Black-T October 2020)(Citation: Lacework TeamTNT May 2021)(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Trend Micro TeamTNT)(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Aqua TeamTNT August 2020)(Citation: Intezer TeamTNT Explosion September 2021)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	1
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	1
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	1
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	1
Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Clear Linux or Mac System Logs - T1685.006 (5e29d64d-2b14-4f92-875e-4c9c498e213c)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	1
Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92)	Attack Pattern	1
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	1
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Linux and Mac Permissions - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	1
Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	1
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452)	Attack Pattern	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	1
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
MimiPenguin - S0179 (5a33468d-844d-4b1f-98c9-0e786c556b27)	mitre-tool	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	1
TeamTNT - G0139 (35d1b3be-49d4-42f1-aaa6-ef159c880bca)	Intrusion Set	Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	1
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	2
Resource Hijacking - T1496 (cd25c1b4-935c-4f0e-ba8d-552f28bc4783)	Attack Pattern	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	2
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Image - T1204.003 (b0c74ef9-c61e-4986-88cb-78da98a355ec)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	2
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
Container CLI/API - T1059.013 (c283d88f-8c23-4318-9da5-3d50cecad756)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Cloud Storage Object Discovery - T1619 (8565825b-21c8-4518-b75e-cbc4c717a156)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Deploy Container - T1610 (56e0d8b8-3e25-49dd-9050-3aa252f5aa92)	Attack Pattern	2
Peirates - S0683 (79dd477a-8226-4b3d-ad15-28623675f221)	mitre-tool	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	Clear Linux or Mac System Logs - T1685.006 (5e29d64d-2b14-4f92-875e-4c9c498e213c)	Attack Pattern	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	2
Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
SSH Authorized Keys - T1098.004 (6b57dc31-b814-4a03-8706-28bc20d739c4)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	2
Systemctl - T1569.003 (4b46767d-4a61-4f30-995e-c19a75c2e536)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	Scanning IP Blocks - T1595.001 (db8f5003-3b20-48f0-9b76-123e44208120)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	2
Linux and Mac Permissions - T1222.002 (09b130a2-a77e-4af0-a361-f46f9aad1345)	Attack Pattern	File and Directory Permissions Modification - T1222 (65917ae0-b854-4139-83fe-bf2441cf0196)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	2
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Compute Hijacking - T1496.001 (a718a0c8-5768-41a1-9958-a1cc3f995e99)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Rootkit - T1014 (0f20e3cb-245b-4a61-8a91-2d93f7cb0e9b)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Container and Resource Discovery - T1613 (0470e792-32f8-46b0-a351-652bc35e9336)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Clear Command History - T1070.003 (3aef9463-9a7a-43ba-8957-a867e07c1e6a)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Container Administration Command - T1609 (7b50a1d3-4ca7-45d1-989d-a6503f04bfe1)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Escape to Host - T1611 (4a5b7ade-8bb5-4853-84ed-23f262002665)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Cloud Instance Metadata API - T1552.005 (19bf235b-8620-4997-b5b4-94e0659ed7c3)	Attack Pattern	2
Hildegard - S0601 (40a1b8ec-7295-416c-a6b1-68181d86f120)	Malware	Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	2
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	2
MimiPenguin - S0179 (5a33468d-844d-4b1f-98c9-0e786c556b27)	mitre-tool	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Container API - T1552.007 (f8ef3a62-3f44-40a4-abca-761ab235c436)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	3
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	3
Application Access Token - T1550.001 (f005e783-57d4-4837-88ad-dbe7faee1c51)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Dynamic Linker Hijacking - T1574.006 (633a100c-b2c9-41bf-9be5-905c1b16c825)	Attack Pattern	3