Scribd
Upload
160 views

MITRE ATT&CK Training

The document discusses tactics used by the Conti ransomware group. It describes how Conti actors often gain initial access through spearphishing emails containing malicious attachments or links. They use tools like TrickBot and Cobalt Strike for lateral movement and post-exploitation tasks. Conti actors are known to exploit legitimate remote access software and use tools already on victim networks like Mimikatz to escalate privileges and obtain credentials to move laterally. The document also lists vulnerabilities exploited by Conti to escalate privileges and move laterally, such as the 2017 SMB vulnerability.

Uploaded by

Antonio Acevedo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
160 views

MITRE ATT&CK Training

The document discusses tactics used by the Conti ransomware group. It describes how Conti actors often gain initial access through spearphishing emails containing malicious attachments or links. They use tools like TrickBot and Cobalt Strike for lateral movement and post-exploitation tasks. Conti actors are known to exploit legitimate remote access software and use tools already on victim networks like Mimikatz to escalate privileges and obtain credentials to move laterally. The document also lists vulnerabilities exploited by Conti to escalate privileges and move laterally, such as the 2017 SMB vulnerability.

Uploaded by

Antonio Acevedo
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 2

Training MITRE ATT&CK – Offensive Cybersecurity BCP

Reto: Identificar comportamientos.

En el siguiente boletín sombrear comportamientos asociados a tácticas de MITRE ATT&CK,


colocar como comentarios el nombre de la táctica y explicarlas durante la sesión de trabajo.

Referencia:

While Conti is considered a ransomware-as-a-service (RaaS) model ransomware


variant, there is variation in its structure that differentiates it from a typical
affiliate model. It is likely that Conti developers pay the deployers of the
ransomware a wage rather than a percentage of the proceeds used by affiliate
cyber actors and receives a share of the proceeds from a successful attack.

Conti actors often gain initial access to networks through:  Initial Access

Spearphishing campaigns using tailored emails that contain malicious


attachments or malicious links.

Malicious Word attachments often contain embedded scripts that can be used
to download or drop other malware—such as TrickBot and IcedID, and/or
Cobalt Strike—to assist with lateral movement and later stages of the attack life
cycle with the eventual goal of deploying Conti ransomware.

Stolen or weak Remote Desktop Protocol (RDP) credentials.

Fake software promoted via search engine optimization;

Other malware distribution networks (e.g., ZLoader); and

Common vulnerabilities in external assets.

In the execution phase, actors run a getuid payload before using a more
aggressive payload to reduce the risk of triggering antivirus engines. CISA and
FBI have observed Conti actors using Router Scan, a penetration testing tool, to
maliciously scan for and brute force routers, cameras, and network-attached
storage devices with web interfaces. Additionally, actors use Kerberos attacks to
attempt to get the Admin hash to conduct brute force attacks.
Training MITRE ATT&CK – Offensive Cybersecurity BCP

Conti actors are known to exploit legitimate remote monitoring and


management software and remote desktop software as backdoors to maintain
persistence on victim networks. The actors use tools already available on the
victim network—and, as needed, add additional tools, such as Windows
Sysinternals and Mimikatz—to obtain users’ hashes and clear-text credentials,
which enable the actors to escalate privileges within a domain and perform
other post-exploitation and lateral movement tasks. In some cases, the actors
also use TrickBot malware to carry out post-exploitation tasks.

According to a recently leaked threat actor “playbook,” Conti actors also exploit
vulnerabilities in unpatched assets, such as the following, to escalate privileges
and move laterally across a victim’s network:

2017 Microsoft Windows Server Message Block 1.0 server vulnerabilities; [7]

"PrintNightmare" vulnerability (CVE-2021-34527) in Windows Print spooler [8]


service; and

"Zerologon" vulnerability (CVE-2020-1472) in Microsoft Active Directory Domain


Controller systems.[9]

Artifacts leaked with the playbook identify four Cobalt Strike server Internet
Protocol (IP) addresses Conti actors previously used to communicate with their
command and control (C2) server..

You might also like