Friday, April 19, 2024

Latest:

Chris Stewart

Cybersecurity News

Blueteam Conti Group

Conti Group MITRE ATT&CK Techniques Part Three

Chris Stewart 21 March 202221 March 2022

MITRE ATT&CK Techniques

Conti ransomware uses the ATT&CK techniques listed in table 1.

Table 1: Conti ATT&CK techniques for enterprise

Initial Access

Technique Title	ID	Use
Valid Accounts	T1078	Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials.
Phishing: Spearphishing Attachment	T1566.001	Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware.
Phishing: Spearphishing Link	T1566.002	Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails.

Execution

Technique Title	ID	Use
Command and Scripting Interpreter: Windows Command Shell	T1059.003	Conti ransomware can utilize command line options to allow an attacker control over how it scans and encrypts files.
Native Application Programming Interface (API)	T1106	Conti ransomware has used API calls during execution.

Persistence

Technique Title	ID	Use
Valid Accounts	T1078	Conti actors have been observed gaining unauthorized access to victim networks through stolen RDP credentials.
External Remote Services	T1133	Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as virtual private networks (VPNs), Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.

Privilege Escalation

Technique Title	ID	Use
Process Injection: Dynamic-link Library Injection	T1055.001	Conti ransomware has loaded an encrypted dynamic-link library (DLL) into memory and then executes it.

Defense Evasion

Technique Title	ID	Use
Obfuscated Files or Information	T1027	Conti ransomware has encrypted DLLs and used obfuscation to hide Windows API calls.
Process Injection: Dynamic-link Library Injection	T1055.001	Conti ransomware has loaded an encrypted DLL into memory and then executes it.
Deobfuscate/Decode Files or Information	T1140	Conti ransomware has decrypted its payload using a hardcoded AES-256 key.

Credential Access

Technique Title	ID	Use
Brute Force	T1110	Conti actors use legitimate tools to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces.
Steal or Forge Kerberos Tickets: Kerberoasting	T1558.003	Conti actors use Kerberos attacks to attempt to get the Admin hash.
System Network Configuration Discovery	T1016	Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems.
System Network Connections Discovery	T1049	Conti ransomware can enumerate routine network connections from a compromised host.
Process Discovery	T1057	Conti ransomware can enumerate through all open processes to search for any that have the string sql in their process name.
File and Directory Discovery	T1083	Conti ransomware can discover files on a local system.
Network Share Discovery	T1135	Conti ransomware can enumerate remote open server message block (SMB) network shares using NetShareEnum().

Lateral Movement

Technique Title	ID	Use
Remote Services: SMB/Windows Admin Shares	T1021.002	Conti ransomware can spread via SMB and encrypts files on different hosts, potentially compromising an entire network.
Taint Shared Content	T1080	Conti ransomware can spread itself by infecting other remote machines via network shared drives.

Impact

Technique Title	ID	Use
Data Encrypted for Impact	T1486	Conti ransomware can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti ransomware can use “Windows Restart Manager” to ensure files are unlocked and open for encryption.
Service Stop	T1489	Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop.
Inhibit System Recovery	T1490	Conti ransomware can delete Windows Volume Shadow Copies using vssadmin.