{"description": "Enterprise techniques used by TeamTNT, ATT&CK group G0139 (v1.3)", "name": "TeamTNT (G0139)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1098", "showSubtechniques": true}, {"techniqueID": "T1098.004", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has added RSA keys in authorized_keys.(Citation: Aqua TeamTNT August 2020)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has obtained domains to host their payloads.(Citation: Palo Alto Black-T October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1595", "showSubtechniques": true}, {"techniqueID": "T1595.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has scanned specific lists of target IP addresses.(Citation: Trend Micro TeamTNT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1595.002", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has scanned for vulnerabilities in IoT devices and other related resources such as the Docker API.(Citation: Trend Micro TeamTNT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used an IRC bot for C2 communications.(Citation: Trend Micro TeamTNT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has the `curl` command to send credentials over HTTP and the `curl` and `wget` commands to download new software.(Citation: Intezer TeamTNT September 2020)(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Cisco Talos Intelligence Group) [TeamTNT](https://attack.mitre.org/groups/G0139) has also used a custom user agent HTTP header in shell scripts.(Citation: Trend Micro TeamTNT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has added batch scripts to the startup folder.(Citation: ATT TeamTNT Chimaera September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has executed PowerShell commands in batch scripts.(Citation: ATT TeamTNT Chimaera September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used batch scripts to download tools and executing cryptocurrency miners.(Citation: ATT TeamTNT Chimaera September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used shell scripts for execution.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.009", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has leveraged AWS CLI to enumerate cloud environments with compromised credentials.(Citation: Talos TeamTNT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1609", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) executed [Hildegard](https://attack.mitre.org/software/S0601) through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1613", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has checked for running containers with docker ps and for specific container names with docker inspect.(Citation: Trend Micro TeamTNT) [TeamTNT](https://attack.mitre.org/groups/G0139) has also searched for Kubernetes pods running in a local network.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has created local privileged users on victim machines.(Citation: Intezer TeamTNT September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has established persistence through the creation of a cryptocurrency mining system service using systemctl.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543.003", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used malware that adds cryptocurrency miners as a service.(Citation: ATT TeamTNT Chimaera September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1074", "showSubtechniques": true}, {"techniqueID": "T1074.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has aggregated collected credentials in text files before exfiltrating.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used a script that decodes a Base64-encoded version of WeaveWorks Scope.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1610", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has deployed different types of containers into victim environments to facilitate execution.(Citation: Intezer TeamTNT September 2020)(Citation: Trend Micro TeamTNT) [TeamTNT](https://attack.mitre.org/groups/G0139) has also transferred cryptocurrency mining software to Kubernetes clusters discovered within local IP address ranges.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has developed custom malware such as [Hildegard](https://attack.mitre.org/software/S0601).(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1611", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has deployed privileged containers that mount the filesystem of victim machine.(Citation: Intezer TeamTNT September 2020)(Citation: Aqua TeamTNT August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1048", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has sent locally staged files with collected credentials to C2 servers using cURL.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used open-source tools such as Weave Scope to target exposed Docker API ports and gain initial access to victim environments.(Citation: Intezer TeamTNT September 2020)(Citation: Cisco Talos Intelligence Group) [TeamTNT](https://attack.mitre.org/groups/G0139) has also targeted exposed kubelets for Kubernetes environments.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used a script that checks `/proc/*/environ` for environment variables related to AWS.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1222", "showSubtechniques": true}, {"techniqueID": "T1222.002", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has modified the permissions on binaries with chattr.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has disabled and uninstalled security tools such as Alibaba, Tencent, and BMC cloud monitoring agents on cloud-based infrastructure.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562.004", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has disabled iptables.(Citation: Aqua TeamTNT August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.002", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has removed system logs from /var/log/syslog.(Citation: Aqua TeamTNT August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.003", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has cleared command history with history -c.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used a payload that removes itself after running. [TeamTNT](https://attack.mitre.org/groups/G0139) also has deleted locally staged files for collecting credentials or scan results for local IP addresses after exfiltrating them.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has the curl and wget commands as well as batch scripts to download new tools.(Citation: Intezer TeamTNT September 2020)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has disguised their scripts with docker-related file names.(Citation: Cisco Talos Intelligence Group)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has replaced .dockerd and .dockerenv with their own scripts and cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used masscan to search for open Docker API ports and Kubernetes clusters.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Unit 42 Hildegard Malware)(Citation: Cisco Talos Intelligence Group) [TeamTNT](https://attack.mitre.org/groups/G0139) has also used malware that utilizes zmap and zgrab to search for vulnerable services in cloud environments.(Citation: Palo Alto Black-T October 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used UPX and Ezuri packer to pack its binaries.(Citation: Trend Micro TeamTNT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has encrypted its binaries via AES and encoded files using Base64.(Citation: Trend Micro TeamTNT)(Citation: Aqua TeamTNT August 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1120", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for attached VGA devices using lspci.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1057", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for rival malware and removes it if found.(Citation: Trend Micro TeamTNT) [TeamTNT](https://attack.mitre.org/groups/G0139) has also searched for running processes containing the strings aliyun or liyun to identify machines running Alibaba Cloud Security tools.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1219", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has established tmate sessions for C2 communications.(Citation: Unit 42 Hildegard Malware)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.004", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used SSH to connect back to victim machines.(Citation: Intezer TeamTNT September 2020) [TeamTNT](https://attack.mitre.org/groups/G0139) has also used SSH to transfer tools and payloads onto victim hosts and execute them.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1496", "showSubtechniques": true}, {"techniqueID": "T1496.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has deployed XMRig Docker images to mine cryptocurrency.(Citation: Lacework TeamTNT May 2021)(Citation: Cado Security TeamTNT Worm August 2020) [TeamTNT](https://attack.mitre.org/groups/G0139) has also infected Docker containers and Kubernetes clusters with XMRig, and used RainbowMiner and lolMiner for mining cryptocurrency.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1014", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has used rootkits such as the open-source Diamorphine rootkit and their custom bots to hide cryptocurrency mining activities on the machine.(Citation: Trend Micro TeamTNT) (Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for security products on infected machines.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has uploaded backdoored Docker images to Docker Hub.(Citation: Lacework TeamTNT May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for system version, architecture, disk partition, logical volume, and hostname information.(Citation: ATT TeamTNT Chimaera September 2020)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has enumerated the host machine\u2019s IP address.(Citation: Trend Micro TeamTNT)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1049", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has run netstat -anp to search for rival malware connections.(Citation: Trend Micro TeamTNT) [TeamTNT](https://attack.mitre.org/groups/G0139) has also used `libprocesshider` to modify /etc/ld.so.preload.(Citation: ATT TeamTNT Chimaera September 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1007", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for services such as Alibaba Cloud Security's aliyun service and BMC Helix Cloud Security's bmc-agent service in order to disable them.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1569", "showSubtechniques": true}, {"techniqueID": "T1569.003", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has created system services to execute cryptocurrency mining software.(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for unsecured AWS credentials and Docker API credentials.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has searched for unsecured SSH keys.(Citation: Cado Security TeamTNT Worm August 2020)(Citation: Trend Micro TeamTNT)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.005", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has queried the AWS instance metadata service for credentials.(Citation: Trend Micro TeamTNT)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.003", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has relied on users to download and execute malicious Docker images.(Citation: Lacework TeamTNT May 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[TeamTNT](https://attack.mitre.org/groups/G0139) has leveraged iplogger.org to send collected data back to C2.(Citation: Aqua TeamTNT August 2020)(Citation: Cisco Talos Intelligence Group)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by TeamTNT", "color": "#66b1ff"}]}