<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href='/theme/favicon.ico' type='image/x-icon'> <title>TeamTNT, Group G0139 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href='/theme/style/bootstrap.min.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-tourist.css' /> <link rel='stylesheet' href='/theme/style/bootstrap-select.min.css' /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href='/'><img src="/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/groups">Groups</a> <a class="dropdown-item" href="/software">Software</a> <a class="dropdown-item" href="/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/resources/">Get Started</a> <a class="dropdown-item" href="/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <!-- !versions banner! --> <div class="container-fluid banner-message"> ATT&CKcon 6.0 returns October 14-15, 2025 in McLean, VA. More details about tickets and our CFP can be found <a href='https://na.eventscloud.com/attackcon6'>here</a> </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/">Home</a></li> <li class="breadcrumb-item"><a href="/groups/">Groups</a></li> <li class="breadcrumb-item">TeamTNT</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> TeamTNT </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p><a href="/groups/G0139">TeamTNT</a> is a threat group that has primarily targeted cloud and containerized environments. The group as been active since at least October 2019 and has mainly focused its efforts on leveraging cloud and container resources to deploy cryptocurrency miners in victim environments.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021."data-reference="Palo Alto Black-T October 2020">^{<a href="https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024."data-reference="Lacework TeamTNT May 2021">^{<a href="https://www.lacework.com/blog/taking-teamtnt-docker-images-offline" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020">^{<a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021."data-reference="Cado Security TeamTNT Worm August 2020">^{<a href="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware">^{<a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021."data-reference="Aqua TeamTNT August 2020">^{<a href="https://blog.aquasec.com/container-security-tnt-container-attack" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021."data-reference="Intezer TeamTNT Explosion September 2021">^{<a href="https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">ID:&nbsp;</span>G0139 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Contributors</span>: Will Thomas, Cyjax; Darin Smith, Cisco </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Version</span>: 1.3 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Created:&nbsp;</span>01 October 2021 </div> </div> <div class="row card-data"> <div class="col-md-12"> <span class="h5 card-title">Last Modified:&nbsp;</span>16 September 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button live"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of G0139" href="/versions/v16/groups/G0139/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of G0139" href="/versions/v16/groups/G0139/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK^&reg; Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/groups/G0139/G0139-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/theme/images/external-site-dark.jpeg"></a> <script src="/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "groups/G0139/G0139-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1098">T1098</a> </td> <td> <a href="/techniques/T1098/004">.004</a> </td> <td> <a href="/techniques/T1098">Account Manipulation</a>: <a href="/techniques/T1098/004">SSH Authorized Keys</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has added RSA keys in <code>authorized_keys</code>.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021."data-reference="Aqua TeamTNT August 2020">^{<a href="https://blog.aquasec.com/container-security-tnt-container-attack" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1583">T1583</a> </td> <td> <a href="/techniques/T1583/001">.001</a> </td> <td> <a href="/techniques/T1583">Acquire Infrastructure</a>: <a href="/techniques/T1583/001">Domains</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has obtained domains to host their payloads.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021."data-reference="Palo Alto Black-T October 2020">^{<a href="https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1595">T1595</a> </td> <td> <a href="/techniques/T1595/001">.001</a> </td> <td> <a href="/techniques/T1595">Active Scanning</a>: <a href="/techniques/T1595/001">Scanning IP Blocks</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has scanned specific lists of target IP addresses.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1595/002">.002</a> </td> <td> <a href="/techniques/T1595">Active Scanning</a>: <a href="/techniques/T1595/002">Vulnerability Scanning</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1071">T1071</a> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used an IRC bot for C2 communications.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1071/001">.001</a> </td> <td> <a href="/techniques/T1071/001">Web Protocols</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has the <code>curl</code> command to send credentials over HTTP and the <code>curl</code> and <code>wget</code> commands to download new software.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020">^{<a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021."data-reference="Cado Security TeamTNT Worm August 2020">^{<a href="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also used a custom user agent HTTP header in shell scripts.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1547">T1547</a> </td> <td> <a href="/techniques/T1547/001">.001</a> </td> <td> <a href="/techniques/T1547">Boot or Logon Autostart Execution</a>: <a href="/techniques/T1547/001">Registry Run Keys / Startup Folder</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has added batch scripts to the startup folder.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1059">T1059</a> </td> <td> <a href="/techniques/T1059/001">.001</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/001">PowerShell</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has executed PowerShell commands in batch scripts.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/003">.003</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/003">Windows Command Shell</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used batch scripts to download tools and executing cryptocurrency miners.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/004">.004</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/004">Unix Shell</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used shell scripts for execution.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1059/009">.009</a> </td> <td> <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/009">Cloud API</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has leveraged AWS CLI to enumerate cloud environments with compromised credentials.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022."data-reference="Talos TeamTNT">^{<a href="https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1609">T1609</a> </td> <td> <a href="/techniques/T1609">Container Administration Command</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> executed <a href="/software/S0601">Hildegard</a> through the kubelet API run command and by executing commands on running containers.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware">^{<a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1613">T1613</a> </td> <td> <a href="/techniques/T1613">Container and Resource Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has checked for running containers with <code>docker ps</code> and for specific container names with <code>docker inspect</code>.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also searched for Kubernetes pods running in a local network.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1136">T1136</a> </td> <td> <a href="/techniques/T1136/001">.001</a> </td> <td> <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/001">Local Account</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has created local privileged users on victim machines.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020">^{<a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1543">T1543</a> </td> <td> <a href="/techniques/T1543/002">.002</a> </td> <td> <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/002">Systemd Service</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has established persistence through the creation of a cryptocurrency mining system service using <code>systemctl</code>.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1543/003">.003</a> </td> <td> <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/003">Windows Service</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used malware that adds cryptocurrency miners as a service.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1074">T1074</a> </td> <td> <a href="/techniques/T1074/001">.001</a> </td> <td> <a href="/techniques/T1074">Data Staged</a>: <a href="/techniques/T1074/001">Local Data Staging</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has aggregated collected credentials in text files before exfiltrating.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1140">T1140</a> </td> <td> <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used a script that decodes a Base64-encoded version of WeaveWorks Scope.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1610">T1610</a> </td> <td> <a href="/techniques/T1610">Deploy Container</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has deployed different types of containers into victim environments to facilitate execution.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020">^{<a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1587">T1587</a> </td> <td> <a href="/techniques/T1587/001">.001</a> </td> <td> <a href="/techniques/T1587">Develop Capabilities</a>: <a href="/techniques/T1587/001">Malware</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has developed custom malware such as <a href="/software/S0601">Hildegard</a>.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware">^{<a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1611">T1611</a> </td> <td> <a href="/techniques/T1611">Escape to Host</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has deployed privileged containers that mount the filesystem of victim machine.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020">^{<a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021."data-reference="Aqua TeamTNT August 2020">^{<a href="https://blog.aquasec.com/container-security-tnt-container-attack" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1048">T1048</a> </td> <td> <a href="/techniques/T1048">Exfiltration Over Alternative Protocol</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has sent locally staged files with collected credentials to C2 servers using cURL.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1133">T1133</a> </td> <td> <a href="/techniques/T1133">External Remote Services</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020">^{<a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also targeted exposed kubelets for Kubernetes environments.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware">^{<a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1083">T1083</a> </td> <td> <a href="/techniques/T1083">File and Directory Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used a script that checks <code>/proc/*/environ</code> for environment variables related to AWS.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1222">T1222</a> </td> <td> <a href="/techniques/T1222/002">.002</a> </td> <td> <a href="/techniques/T1222">File and Directory Permissions Modification</a>: <a href="/techniques/T1222/002">Linux and Mac File and Directory Permissions Modification</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has modified the permissions on binaries with <code>chattr</code>.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1562">T1562</a> </td> <td> <a href="/techniques/T1562/001">.001</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1562/004">.004</a> </td> <td> <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/004">Disable or Modify System Firewall</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has disabled <code>iptables</code>.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021."data-reference="Aqua TeamTNT August 2020">^{<a href="https://blog.aquasec.com/container-security-tnt-container-attack" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1070">T1070</a> </td> <td> <a href="/techniques/T1070/002">.002</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/002">Clear Linux or Mac System Logs</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has removed system logs from <code>/var/log/syslog</code>.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021."data-reference="Aqua TeamTNT August 2020">^{<a href="https://blog.aquasec.com/container-security-tnt-container-attack" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/003">.003</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/003">Clear Command History</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has cleared command history with <code>history -c</code>.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1070/004">.004</a> </td> <td> <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used a payload that removes itself after running. <a href="/groups/G0139">TeamTNT</a> also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1105">T1105</a> </td> <td> <a href="/techniques/T1105">Ingress Tool Transfer</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has the <code>curl</code> and <code>wget</code> commands as well as batch scripts to download new tools.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020">^{<a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1036">T1036</a> </td> <td> <a href="/techniques/T1036">Masquerading</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has disguised their scripts with docker-related file names.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1036/005">.005</a> </td> <td> <a href="/techniques/T1036/005">Match Legitimate Name or Location</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1046">T1046</a> </td> <td> <a href="/techniques/T1046">Network Service Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used masscan to search for open Docker API ports and Kubernetes clusters.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021."data-reference="Cado Security TeamTNT Worm August 2020">^{<a href="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware">^{<a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021."data-reference="Palo Alto Black-T October 2020">^{<a href="https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1027">T1027</a> </td> <td> <a href="/techniques/T1027/002">.002</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used UPX and Ezuri packer to pack its binaries.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1027/013">.013</a> </td> <td> <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has encrypted its binaries via AES and encoded files using Base64.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021."data-reference="Aqua TeamTNT August 2020">^{<a href="https://blog.aquasec.com/container-security-tnt-container-attack" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1120">T1120</a> </td> <td> <a href="/techniques/T1120">Peripheral Device Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has searched for attached VGA devices using lspci.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1057">T1057</a> </td> <td> <a href="/techniques/T1057">Process Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has searched for rival malware and removes it if found.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1219">T1219</a> </td> <td> <a href="/techniques/T1219">Remote Access Software</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has established tmate sessions for C2 communications.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware">^{<a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1021">T1021</a> </td> <td> <a href="/techniques/T1021/004">.004</a> </td> <td> <a href="/techniques/T1021">Remote Services</a>: <a href="/techniques/T1021/004">SSH</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used SSH to connect back to victim machines.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021."data-reference="Intezer TeamTNT September 2020">^{<a href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also used SSH to transfer tools and payloads onto victim hosts and execute them.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1496">T1496</a> </td> <td> <a href="/techniques/T1496/001">.001</a> </td> <td> <a href="/techniques/T1496">Resource Hijacking</a>: <a href="/techniques/T1496/001">Compute Hijacking</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has deployed XMRig Docker images to mine cryptocurrency.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024."data-reference="Lacework TeamTNT May 2021">^{<a href="https://www.lacework.com/blog/taking-teamtnt-docker-images-offline" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021."data-reference="Cado Security TeamTNT Worm August 2020">^{<a href="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1014">T1014</a> </td> <td> <a href="/techniques/T1014">Rootkit</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1518">T1518</a> </td> <td> <a href="/techniques/T1518/001">.001</a> </td> <td> <a href="/techniques/T1518">Software Discovery</a>: <a href="/techniques/T1518/001">Security Software Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has searched for security products on infected machines.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1608">T1608</a> </td> <td> <a href="/techniques/T1608/001">.001</a> </td> <td> <a href="/techniques/T1608">Stage Capabilities</a>: <a href="/techniques/T1608/001">Upload Malware</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has uploaded backdoored Docker images to Docker Hub.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024."data-reference="Lacework TeamTNT May 2021">^{<a href="https://www.lacework.com/blog/taking-teamtnt-docker-images-offline" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1082">T1082</a> </td> <td> <a href="/techniques/T1082">System Information Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has searched for system version, architecture, disk partition, logical volume, and hostname information.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1016">T1016</a> </td> <td> <a href="/techniques/T1016">System Network Configuration Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has enumerated the host machine’s IP address.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1049">T1049</a> </td> <td> <a href="/techniques/T1049">System Network Connections Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has run <code>netstat -anp</code> to search for rival malware connections.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> <a href="/groups/G0139">TeamTNT</a> has also used <code>libprocesshider</code> to modify <code>/etc/ld.so.preload</code>.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1007">T1007</a> </td> <td> <a href="/techniques/T1007">System Service Discovery</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Security's bmc-agent service in order to disable them.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1569">T1569</a> </td> <td> <a href="/techniques/T1569">System Services</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has created system services to execute cryptocurrency mining software.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1552">T1552</a> </td> <td> <a href="/techniques/T1552/001">.001</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/001">Credentials In Files</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has searched for unsecured AWS credentials and Docker API credentials.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021."data-reference="Cado Security TeamTNT Worm August 2020">^{<a href="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1552/004">.004</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/004">Private Keys</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has searched for unsecured SSH keys.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021."data-reference="Cado Security TeamTNT Worm August 2020">^{<a href="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/techniques/T1552/005">.005</a> </td> <td> <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/005">Cloud Instance Metadata API</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has queried the AWS instance metadata service for credentials.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021."data-reference="Trend Micro TeamTNT">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/techniques/T1204">T1204</a> </td> <td> <a href="/techniques/T1204/003">.003</a> </td> <td> <a href="/techniques/T1204">User Execution</a>: <a href="/techniques/T1204/003">Malicious Image</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has relied on users to download and execute malicious Docker images.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024."data-reference="Lacework TeamTNT May 2021">^{<a href="https://www.lacework.com/blog/taking-teamtnt-docker-images-offline" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/techniques/T1102">T1102</a> </td> <td> <a href="/techniques/T1102">Web Service</a> </td> <td> <p><a href="/groups/G0139">TeamTNT</a> has leveraged iplogger.org to send collected data back to C2.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021."data-reference="Aqua TeamTNT August 2020">^{<a href="https://blog.aquasec.com/container-security-tnt-container-attack" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022."data-reference="Cisco Talos Intelligence Group">^{<a href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="software">Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">References</th> <th scope="col">Techniques</th> </tr> </thead> <tbody> <tr> <td> <a href="/software/S0601">S0601</a> </td> <td> <a href="/software/S0601">Hildegard</a> </td> <td> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021."data-reference="Unit 42 Hildegard Malware">^{<a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span> </td> <td> <a href="/techniques/T1071">Application Layer Protocol</a>, <a href="/techniques/T1059">Command and Scripting Interpreter</a>: <a href="/techniques/T1059/004">Unix Shell</a>, <a href="/techniques/T1609">Container Administration Command</a>, <a href="/techniques/T1613">Container and Resource Discovery</a>, <a href="/techniques/T1136">Create Account</a>: <a href="/techniques/T1136/001">Local Account</a>, <a href="/techniques/T1543">Create or Modify System Process</a>: <a href="/techniques/T1543/002">Systemd Service</a>, <a href="/techniques/T1140">Deobfuscate/Decode Files or Information</a>, <a href="/techniques/T1611">Escape to Host</a>, <a href="/techniques/T1068">Exploitation for Privilege Escalation</a>, <a href="/techniques/T1133">External Remote Services</a>, <a href="/techniques/T1574">Hijack Execution Flow</a>: <a href="/techniques/T1574/006">Dynamic Linker Hijacking</a>, <a href="/techniques/T1562">Impair Defenses</a>: <a href="/techniques/T1562/001">Disable or Modify Tools</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/004">File Deletion</a>, <a href="/techniques/T1070">Indicator Removal</a>: <a href="/techniques/T1070/003">Clear Command History</a>, <a href="/techniques/T1105">Ingress Tool Transfer</a>, <a href="/techniques/T1036">Masquerading</a>: <a href="/techniques/T1036/004">Masquerade Task or Service</a>, <a href="/techniques/T1046">Network Service Discovery</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/002">Software Packing</a>, <a href="/techniques/T1027">Obfuscated Files or Information</a>: <a href="/techniques/T1027/013">Encrypted/Encoded File</a>, <a href="/techniques/T1219">Remote Access Software</a>, <a href="/techniques/T1496">Resource Hijacking</a>: <a href="/techniques/T1496/001">Compute Hijacking</a>, <a href="/techniques/T1014">Rootkit</a>, <a href="/techniques/T1082">System Information Discovery</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/004">Private Keys</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/001">Credentials In Files</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/005">Cloud Instance Metadata API</a>, <a href="/techniques/T1102">Web Service</a> </td> </tr> <tr> <td> <a href="/software/S0349">S0349</a> </td> <td> <a href="/software/S0349">LaZagne</a> </td> <td> <span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021."data-reference="ATT TeamTNT Chimaera September 2020">^{<a href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> </td> <td> <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/004">Windows Credential Manager</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/003">Credentials from Web Browsers</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>, <a href="/techniques/T1555">Credentials from Password Stores</a>: <a href="/techniques/T1555/001">Keychain</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/004">LSA Secrets</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/008">/etc/passwd and /etc/shadow</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/001">LSASS Memory</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/005">Cached Domain Credentials</a>, <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/007">Proc Filesystem</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/001">Credentials In Files</a> </td> </tr> <tr> <td> <a href="/software/S0179">S0179</a> </td> <td> <a href="/software/S0179">MimiPenguin</a> </td> <td> <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021."data-reference="Palo Alto Black-T October 2020">^{<a href="https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> </td> <td> <a href="/techniques/T1003">OS Credential Dumping</a>: <a href="/techniques/T1003/007">Proc Filesystem</a> </td> </tr> <tr> <td> <a href="/software/S0683">S0683</a> </td> <td> <a href="/software/S0683">Peirates</a> </td> <td> <span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Nathaniel Quist. (2021, June 4). TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations. Retrieved February 8, 2022."data-reference="TeamTNT Cloud Enumeration">^{<a href="https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> </td> <td> <a href="/techniques/T1619">Cloud Storage Object Discovery</a>, <a href="/techniques/T1609">Container Administration Command</a>, <a href="/techniques/T1613">Container and Resource Discovery</a>, <a href="/techniques/T1530">Data from Cloud Storage</a>, <a href="/techniques/T1610">Deploy Container</a>, <a href="/techniques/T1611">Escape to Host</a>, <a href="/techniques/T1046">Network Service Discovery</a>, <a href="/techniques/T1528">Steal Application Access Token</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/007">Container API</a>, <a href="/techniques/T1552">Unsecured Credentials</a>: <a href="/techniques/T1552/005">Cloud Instance Metadata API</a>, <a href="/techniques/T1550">Use Alternate Authentication Material</a>: <a href="/techniques/T1550/001">Application Access Token</a>, <a href="/techniques/T1078">Valid Accounts</a>: <a href="/techniques/T1078/004">Cloud Accounts</a> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://unit42.paloaltonetworks.com/black-t-cryptojacking-variant/" target="_blank"> Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.lacework.com/blog/taking-teamtnt-docker-images-offline" target="_blank"> Stroud, J. (2021, May 25). Taking TeamTNT's Docker Images Offline. Retrieved September 16, 2024. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.intezer.com/blog/cloud-security/attackers-abusing-legitimate-cloud-monitoring-tools-to-conduct-cyber-attacks/" target="_blank"> Fishbein, N. (2020, September 8). Attackers Abusing Legitimate Cloud Monitoring Tools to Conduct Cyber Attacks. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.cadosecurity.com/team-tnt-the-first-crypto-mining-worm-to-steal-aws-credentials/" target="_blank"> Cado Security. (2020, August 16). Team TNT – The First Crypto-Mining Worm to Steal AWS Credentials. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank"> Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://documents.trendmicro.com/assets/white_papers/wp-tracking-the-activities-of-teamTNT.pdf" target="_blank"> Fiser, D. Oliveira, A. (n.d.). Tracking the Activities of TeamTNT A Closer Look at a Cloud-Focused Malicious Actor Group. Retrieved September 22, 2021. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="7.0"> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://cybersecurity.att.com/blogs/labs-research/teamtnt-with-new-campaign-aka-chimaera" target="_blank"> AT&T Alien Labs. (2021, September 8). TeamTNT with new campaign aka Chimaera. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://blog.aquasec.com/container-security-tnt-container-attack" target="_blank"> Kol, Roi. Morag, A. (2020, August 25). Deep Analysis of TeamTNT Techniques Using Container Images to Attack. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.intezer.com/wp-content/uploads/2021/09/TeamTNT-Cryptomining-Explosion.pdf" target="_blank"> Intezer. (2021, September 1). TeamTNT Cryptomining Explosion. Retrieved October 15, 2021. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://blog.talosintelligence.com/teamtnt-targeting-aws-alibaba-2/" target="_blank"> Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved August 4, 2022. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://blog.talosintelligence.com/2022/04/teamtnt-targeting-aws-alibaba.html" target="_blank"> Darin Smith. (2022, April 21). TeamTNT targeting AWS, Alibaba. Retrieved July 8, 2022. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://unit42.paloaltonetworks.com/teamtnt-operations-cloud-environments" target="_blank"> Nathaniel Quist. (2021, June 4). TeamTNT Actively Enumerating Cloud Environments to Infiltrate Organizations. Retrieved February 8, 2022. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/theme/scripts/popper.min.js"></script> <script src="/theme/scripts/bootstrap-select.min.js"></script> <script src="/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/theme/scripts/site.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/theme/scripts/sidebar-load-all.js"></script> <script src="/theme/scripts/bootstrap-tourist.js"></script> <script src="/theme/scripts/settings.js"></script> <script src="/theme/scripts/tour/tour-relationships.js"></script> </body> </html>