| enterprise |
T1071 |
Application Layer Protocol |
Hildegard has used an IRC channel for C2 communications. |
| enterprise |
T1059 |
Command and Scripting Interpreter |
- |
| enterprise |
T1059.004 |
Unix Shell |
Hildegard has used shell scripts for execution. |
| enterprise |
T1609 |
Container Administration Command |
Hildegard was executed through the kubelet API run command and by executing commands on running containers. |
| enterprise |
T1613 |
Container and Resource Discovery |
Hildegard has used masscan to search for kubelets and the kubelet API for additional running containers. |
| enterprise |
T1136 |
Create Account |
- |
| enterprise |
T1136.001 |
Local Account |
Hildegard has created a user named “monerodaemon”. |
| enterprise |
T1543 |
Create or Modify System Process |
- |
| enterprise |
T1543.002 |
Systemd Service |
Hildegard has started a monero service. |
| enterprise |
T1140 |
Deobfuscate/Decode Files or Information |
Hildegard has decrypted ELF files with AES. |
| enterprise |
T1611 |
Escape to Host |
Hildegard has used the BOtB tool that can break out of containers. |
| enterprise |
T1068 |
Exploitation for Privilege Escalation |
Hildegard has used the BOtB tool which exploits CVE-2019-5736. |
| enterprise |
T1133 |
External Remote Services |
Hildegard was executed through an unsecure kubelet that allowed anonymous access to the victim environment. |
| enterprise |
T1574 |
Hijack Execution Flow |
- |
| enterprise |
T1574.006 |
Dynamic Linker Hijacking |
Hildegard has modified /etc/ld.so.preload to intercept shared library import functions. |
| enterprise |
T1562 |
Impair Defenses |
- |
| enterprise |
T1562.001 |
Disable or Modify Tools |
Hildegard has modified DNS resolvers to evade DNS monitoring tools. |
| enterprise |
T1070 |
Indicator Removal |
- |
| enterprise |
T1070.003 |
Clear Command History |
Hildegard has used history -c to clear script shell logs. |
| enterprise |
T1070.004 |
File Deletion |
Hildegard has deleted scripts after execution. |
| enterprise |
T1105 |
Ingress Tool Transfer |
Hildegard has downloaded additional scripts that build and run Monero cryptocurrency miners. |
| enterprise |
T1036 |
Masquerading |
- |
| enterprise |
T1036.004 |
Masquerade Task or Service |
Hildegard has disguised itself as a known Linux process. |
| enterprise |
T1046 |
Network Service Discovery |
Hildegard has used masscan to look for kubelets in the internal Kubernetes network. |
| enterprise |
T1027 |
Obfuscated Files or Information |
Hildegard has encrypted an ELF file. |
| enterprise |
T1027.002 |
Software Packing |
Hildegard has packed ELF files into other binaries. |
| enterprise |
T1219 |
Remote Access Software |
Hildegard has established tmate sessions for C2 communications. |
| enterprise |
T1496 |
Resource Hijacking |
Hildegard has used xmrig to mine cryptocurrency. |
| enterprise |
T1014 |
Rootkit |
Hildegard has modified /etc/ld.so.preload to overwrite readdir() and readdir64(). |
| enterprise |
T1082 |
System Information Discovery |
Hildegard has collected the host’s OS, CPU, and memory information. |
| enterprise |
T1552 |
Unsecured Credentials |
- |
| enterprise |
T1552.001 |
Credentials In Files |
Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens. |
| enterprise |
T1552.004 |
Private Keys |
Hildegard has searched for private keys in .ssh. |
| enterprise |
T1552.005 |
Cloud Instance Metadata API |
Hildegard has queried the Cloud Instance Metadata API for cloud credentials. |
| enterprise |
T1102 |
Web Service |
Hildegard has downloaded scripts from GitHub. |