{"description": "Enterprise techniques used by Hildegard, ATT&CK software S0601 (v1.2)", "name": "Hildegard (S0601)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "17", "navigator": "5.1.0"}, "techniques": [{"techniqueID": "T1071", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has used an IRC channel for C2 communications.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.004", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has used shell scripts for execution.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1609", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) was executed through the kubelet API run command and by executing commands on running containers.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1613", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has used masscan to search for kubelets and the kubelet API for additional running containers.(Citation: Unit 42 Hildegard Malware) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1136", "showSubtechniques": true}, {"techniqueID": "T1136.001", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has created a user named \u201cmonerodaemon\u201d.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1543", "showSubtechniques": true}, {"techniqueID": "T1543.002", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has started a monero service.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has decrypted ELF files with AES.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1611", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has used the BOtB tool that can break out of containers. (Citation: Unit 42 Hildegard Malware) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1068", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has used the BOtB tool which exploits CVE-2019-5736.(Citation: Unit 42 Hildegard Malware) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1133", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) was executed through an unsecure kubelet that allowed anonymous access to the victim environment.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1574", "showSubtechniques": true}, {"techniqueID": "T1574.006", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has modified /etc/ld.so.preload to intercept shared library import functions.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has modified DNS resolvers to evade DNS monitoring tools.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.003", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has used history -c to clear script shell logs.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has deleted scripts after execution.(Citation: Unit 42 Hildegard Malware) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has downloaded additional scripts that build and run Monero cryptocurrency miners.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.004", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has disguised itself as a known Linux process.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1046", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has used masscan to look for kubelets in the internal Kubernetes network.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "showSubtechniques": true}, {"techniqueID": "T1027.002", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has packed ELF files into other binaries.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.013", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has encrypted an ELF file.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1219", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has established tmate sessions for C2 communications.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1496", "showSubtechniques": true}, {"techniqueID": "T1496.001", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has used xmrig to mine cryptocurrency.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1014", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has modified /etc/ld.so.preload to overwrite readdir() and readdir64().(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1082", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has collected the host's OS, CPU, and memory information.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1552", "showSubtechniques": true}, {"techniqueID": "T1552.001", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has searched for SSH keys, Docker credentials, and Kubernetes service tokens.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.004", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has searched for private keys in .ssh.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1552.005", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has queried the Cloud Instance Metadata API for cloud credentials.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Hildegard](https://attack.mitre.org/software/S0601) has downloaded scripts from GitHub.(Citation: Unit 42 Hildegard Malware)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Hildegard", "color": "#66b1ff"}]}