Thursday, November 21, 2024
Latest:

Chris Stewart

Cybersecurity News

BlueteamConti Group

Conti Group MITRE ATT&CK Techniques Part Three

Chris Stewart

MITRE ATT&CK Techniques

Conti ransomware uses the ATT&CK techniques listed in table 1.

Table 1: Conti ATT&CK techniques for enterprise
Initial Access
Technique TitleIDUse
Valid AccountsT1078Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials. 
Phishing: Spearphishing Attachment T1566.001Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware.
Phishing: Spearphishing Link T1566.002Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails.
Execution
Technique TitleIDUse
Command and Scripting Interpreter: Windows Command Shell T1059.003Conti ransomware can utilize command line options to allow an attacker control over how it scans and encrypts files.
Native Application Programming Interface (API) T1106Conti ransomware has used API calls during execution.
Persistence
Technique TitleIDUse
Valid AccountsT1078Conti actors have been observed gaining unauthorized access to victim networks through stolen RDP credentials. 
External Remote ServicesT1133Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as virtual private networks (VPNs), Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.
Privilege Escalation
Technique TitleIDUse
Process Injection: Dynamic-link Library InjectionT1055.001Conti ransomware has loaded an encrypted dynamic-link library (DLL) into memory and then executes it. 
Defense Evasion
Technique TitleIDUse
Obfuscated Files or Information T1027Conti ransomware has encrypted DLLs and used obfuscation to hide Windows API calls.
Process Injection: Dynamic-link Library InjectionT1055.001Conti ransomware has loaded an encrypted DLL into memory and then executes it.
Deobfuscate/Decode Files or Information T1140Conti ransomware has decrypted its payload using a hardcoded AES-256 key.
Credential Access
Technique TitleIDUse
Brute ForceT1110Conti actors use legitimate tools to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces.
Steal or Forge Kerberos Tickets: KerberoastingT1558.003Conti actors use Kerberos attacks to attempt to get the Admin hash.
System Network Configuration Discovery T1016Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems.
System Network Connections Discovery T1049Conti ransomware can enumerate routine network connections from a compromised host.
Process DiscoveryT1057Conti ransomware can enumerate through all open processes to search for any that have the string sql in their process name.
File and Directory Discovery T1083Conti ransomware can discover files on a local system.
Network Share DiscoveryT1135Conti ransomware can enumerate remote open server message block (SMB) network shares using NetShareEnum().
Lateral Movement
Technique TitleIDUse
Remote Services: SMB/Windows Admin Shares T1021.002Conti ransomware can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.
Taint Shared ContentT1080Conti ransomware can spread itself by infecting other remote machines via network shared drives.
Impact
Technique TitleIDUse
Data Encrypted for ImpactT1486Conti ransomware can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti ransomware can use “Windows Restart Manager” to ensure files are unlocked and open for encryption.
Service StopT1489Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop.
Inhibit System RecoveryT1490Conti ransomware can delete Windows Volume Shadow Copies using vssadmin.