Куда я попал?

SECURITM это SGRC система, автоматизирующая процессы в службах информационной безопасности. SECURITM помогает построить и управлять ИСПДн, КИИ, ГИС, СМИБ/СУИБ, банковскими системами защиты.
А еще SECURITM это место для обмена опытом и наработками для служб безопасности.

Подробнее

Hildegard

Hildegard is malware that targets misconfigured kubelets for initial access and runs cryptocurrency miner operations. The malware was first observed in January 2021. The TeamTNT activity group is believed to be behind Hildegard. (Citation: Unit 42 Hildegard Malware)

ID: S0601

Type: MALWARE

Platforms: Windows

Version: 1.1

Created: 07 Apr 2021

Last Modified: 16 Oct 2021

Domain	ID		Name	Use
Techniques Used
Enterprise	T1059	.004	Command and Scripting Interpreter: Unix Shell	Hildegard has used shell scripts for execution.(Citation: Unit 42 Hildegard Malware)
Enterprise	T1136	.001	Create Account: Local Account	Hildegard has created a user named “monerodaemon”.(Citation: Unit 42 Hildegard Malware)
Enterprise	T1543	.002	Create or Modify System Process: Systemd Service	Hildegard has started a monero service.(Citation: Unit 42 Hildegard Malware)
Enterprise	T1574	.006	Hijack Execution Flow: Dynamic Linker Hijacking	Hildegard has modified /etc/ld.so.preload to intercept shared library import functions.(Citation: Unit 42 Hildegard Malware)
Enterprise	T1562	.001	Impair Defenses: Disable or Modify Tools	Hildegard has modified DNS resolvers to evade DNS monitoring tools.(Citation: Unit 42 Hildegard Malware)
Enterprise	T1070	.003	Indicator Removal: Clear Command History	Hildegard has used history -c to clear script shell logs.(Citation: Unit 42 Hildegard Malware)
		.004	Indicator Removal: File Deletion	Hildegard has deleted scripts after execution.(Citation: Unit 42 Hildegard Malware)
Enterprise	T1036	.004	Masquerading: Masquerade Task or Service	Hildegard has disguised itself as a known Linux process.(Citation: Unit 42 Hildegard Malware)
Enterprise	T1027	.002	Obfuscated Files or Information: Software Packing	Hildegard has packed ELF files into other binaries.(Citation: Unit 42 Hildegard Malware)
Enterprise	T1552	.001	Unsecured Credentials: Credentials In Files	Hildegard has searched for SSH keys, Docker credentials, and Kubernetes service tokens.(Citation: Unit 42 Hildegard Malware)
		.004	Unsecured Credentials: Private Keys	Hildegard has searched for private keys in .ssh.(Citation: Unit 42 Hildegard Malware)
		.005	Unsecured Credentials: Cloud Instance Metadata API	Hildegard has queried the Cloud Instance Metadata API for cloud credentials.(Citation: Unit 42 Hildegard Malware)

ID	Name	References
Groups That Use This Software
G0139	TeamTNT	(Citation: Unit 42 Hildegard Malware)

References

Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021.

Мы используем cookie-файлы, чтобы получить статистику, которая помогает нам улучшить сервис для вас с целью персонализации сервисов и предложений. Вы может прочитать подробнее о cookie-файлах или изменить настройки браузера. Продолжая пользоваться сайтом, вы даёте согласие на использование ваших cookie-файлов и соглашаетесь с Политикой обработки персональных данных.

Hildegard

Techniques Used

Groups That Use This Software

References