Chains
TTPs
Blog
Login
Prelude chain browser
Conti (Discovery)
Discover computers, shares, and numbers of computers in the domain. Enumerate the local, domain, and enterprise administrators, then dump hashes for potentially Kerberoastable accounts.
2021-09-21
Professional
This is a professional attack chain. A professional subscription automatically gives you access to this chain + 50 more, with direct integration inside of Operator.
Authors:
privateducky, mitre, w0rk3r, bfuzzy1, khyberspache, will schroeder (@harmj0y), tevora-threat, matthew graeber (@mattifestation), outflanknl
Execute this chain
Download Operator (1.7.1)
Learn about Operator
TTPs
Permission Groups Discovery
Discover domain controller
Enumerate number of computers in the domain
Enumerate local user and domain
Enumerate domain administrator objects
Enumerate local administrators
Enumerate enterprise administrator objects
Find domain systems user is logged into
Enumerate computers in the domain
Enumerate shares in the domain
Dump account hashes using AS-REP roasting
Retrieve unsecured information in GPP
Dump hashes for kerberoastable accounts to disk
Tags
conti, hafnium, apt29 scenario 1, apt29
Tactics
Discovery
Credential-access
Other chains in this theme
Conti Deploy Ransomware
2022-02-14
Deploy Conti ransomware to encrypt host files.
Conti Collect and Exfiltrate
2022-02-08
Automatically collect information and exfiltrate with rclone to a cloud service.
Conti Move To Remote System
2022-02-01
Perform lateral movement of Jambi agent to discovered AD targets
Conti Privilege Escalation and Persistence
2022-01-25
Use PrintNightmare & ZeroLogon exploits to gain privileges and extract the krbtgt NTLM hash from a DC.
Conti Local and Remote Discovery
2022-01-18
Using the Jambi agent from the initial access chain, discover local services, active directory objects, and check the box for PrintNightmare.
Conti Recon And Initial Access
2022-01-10
Perform recon and initial access of target environment