Conti Collect and Exfiltrate

Enumerate the users home directory then attempt to dump hashes via Kerberoasting and AS-REProasting. Ingress then exfiltrate data using Rclone.

TTP Tuesday: Conti (Release 5)

Data collection and exfiltration

Theme Overview

We're releasing the fifth release of our Conti ransomware theme with new TTPs focused on data collection and exfiltration. To date, our Conti theme now contains the following kill-chains:

1. Recon and Initial Access
2. Local and Remote Discovery
3. Gain privileges and persist
4. Move to remote systems
5. Data collection and exfiltration (Current Release)
6. Deploy ransomware

Data Collection and Exfiltration

This chain performs collection and exfiltration. First we enumerate the users home directory then attempt to dump hashes via Kerberoasting and AS-REProasting. Once we have target data, the ingress and configure Rclone to work with an ephemeral Mega account then automatically exfiltrate to a Data folder in Mega.

Watch a demonstration: Conti Collect & Exfiltrate

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/c/preludeorg

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Source: https://feed.prelude.org
Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator

TTPs

Get user's home directory
Configure rclone Mega credentials
Dump account hashes using AS-REP roasting
Dump hashes for kerberoastable accounts to disk
Exfil data with RClone

Tags

ransomware, conti