Conti Collect and Exfiltrate

Enumerate the users home directory then attempt to dump hashes via Kerberoasting and AS-REProasting. Ingress then exfiltrate data using Rclone.

TTP Tuesday: Conti (Release 5)

Data collection and exfiltration

Theme Overview

We're releasing the fifth release of our Conti ransomware theme with new TTPs focused on data collection and exfiltration. To date, our Conti theme now contains the following kill-chains:

1. Recon and Initial Access
2. Local and Remote Discovery
3. Gain privileges and persist
4. Move to remote systems
5. Data collection and exfiltration (Current Release)
6. Deploy ransomware

Data Collection and Exfiltration

This chain performs collection and exfiltration. First we enumerate the users home directory then attempt to dump hashes via Kerberoasting and AS-REProasting. Once we have target data, the ingress and configure Rclone to work with an ephemeral Mega account then automatically exfiltrate to a Data folder in Mega.

Watch a demonstration: Conti Collect & Exfiltrate

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator:
See the latest kill chain and TTP Releases:
See our open-source repositories:

Join our community


Read, watch, and listen

Listen to our Podcast:
Read our blog:
Watch our live streams:
Watch our pre-recorded content:

Follow our team

David: privateducky
Alex: khyberspache
Kris: Xanthonus
Octavia: VVX7
Sam: wasupwithuman

Read more

Execute this chain

Download Operator (1.7.1)
Learn about Operator


Get user's home directory
Configure rclone Mega credentials
Dump account hashes using AS-REP roasting
Dump hashes for kerberoastable accounts to disk
Exfil data with RClone


ransomware, conti