Куда я попал?
SECURITM это SGRC система, ? автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. (Citation: Unit 42 Hildegard Malware)
ID: S0601
Type: MALWARE
Platforms: Windows
Version: 1.2
Created: 07 Apr 2021
Last Modified: 11 Apr 2024

Techniques Used

Domain ID Name Use
Enterprise T1059 .004 Command and Scripting Interpreter: Unix Shell

Hildegard has used shell scripts for execution.(Citation: Unit 42 Hildegard Malware)

Enterprise T1136 .001 Create Account: Local Account

Hildegard has created a user named “monerodaemon”.(Citation: Unit 42 Hildegard Malware)

Enterprise T1543 .002 Create or Modify System Process: Systemd Service

Hildegard has started a monero service.(Citation: Unit 42 Hildegard Malware)

Enterprise T1574 .006 Hijack Execution Flow: Dynamic Linker Hijacking

Hildegard has modified /etc/ld.so.preload to intercept shared library import functions.(Citation: Unit 42 Hildegard Malware)

Enterprise T1562 .001 Impair Defenses: Disable or Modify Tools

Hildegard has modified DNS resolvers to evade DNS monitoring tools.(Citation: Unit 42 Hildegard Malware)

Enterprise T1070 .003 Indicator Removal: Clear Command History

Hildegard has used history -c to clear script shell logs.(Citation: Unit 42 Hildegard Malware)

.004 Indicator Removal: File Deletion

Hildegard has deleted scripts after execution.(Citation: Unit 42 Hildegard Malware)

Enterprise T1036 .004 Masquerading: Masquerade Task or Service

Hildegard has disguised itself as a known Linux process.(Citation: Unit 42 Hildegard Malware)

Enterprise T1027 .002 Obfuscated Files or Information: Software Packing

Hildegard has packed ELF files into other binaries.(Citation: Unit 42 Hildegard Malware)

.013 Obfuscated Files or Information: Encrypted/Encoded File

Hildegard has encrypted an ELF file.(Citation: Unit 42 Hildegard Malware)

Enterprise T1496 .001 Resource Hijacking: Compute Hijacking

Hildegard has used xmrig to mine cryptocurrency.(Citation: Unit 42 Hildegard Malware)

Enterprise T1552 .001 Unsecured Credentials: Credentials In Files

Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens.(Citation: Unit 42 Hildegard Malware)

.004 Unsecured Credentials: Private Keys

Hildegard has searched for private keys in .ssh.(Citation: Unit 42 Hildegard Malware)

.005 Unsecured Credentials: Cloud Instance Metadata API

Hildegard has queried the Cloud Instance Metadata API for cloud credentials.(Citation: Unit 42 Hildegard Malware)

Groups That Use This Software

ID Name References
G0139 TeamTNT

(Citation: Unit 42 Hildegard Malware)

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.