We are continuing the Conti ransomware release this week and integrated some existing Conti TTPs along with some new ones. The Conti theme will contain the following kill-chains:
Conti is considered Ransomware-as-a-Service (RaaS) and has an elaborate chain of events from initial access to execution of the ransomware. For this week, we are focusing on the Local and Remote Discovery. Conti uses numerous techniques during the discovery phase. This chain starts with a Jambi agent from last week’s chain. For remote discovery, the chain will check whether RSAT-AD-PowerShell is present, if not it will attempt to side-load it via a GitHub repository. The chain then probes for domain information, printer shares, storage devices, groups, and users. For local discovery, the chain will check the machine’s services and attempt to identify any security services which may decrease the likelihood of successfully deploying the ransomware. Finally, the chain identifies patches and registry keys which may lead to successful exploitation of CVE-2021-34527 (PrintNightmare).
Watch a demonstration: Conti Local & Remote Discovery
Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!
There are several ways to follow us and learn more about Prelude and our team members:
Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg
Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg