MITRE ATT&CK Techniques
Conti ransomware uses the ATT&CK techniques listed in table 1.
Table 1: Conti ATT&CK techniques for enterprise
Technique Title ID Use Valid Accounts T1078 Conti actors have been observed gaining unauthorized access to victim networks through stolen Remote Desktop Protocol (RDP) credentials. Phishing: Spearphishing Attachment T1566.001 Conti ransomware can be delivered using TrickBot malware, which is known to use an email with an Excel sheet containing a malicious macro to deploy the malware. Phishing: Spearphishing Link T1566.002 Conti ransomware can be delivered using TrickBot, which has been delivered via malicious links in phishing emails.
Technique Title ID Use Command and Scripting Interpreter: Windows Command Shell T1059.003 Conti ransomware can utilize command line options to allow an attacker control over how it scans and encrypts files. Native Application Programming Interface (API) T1106 Conti ransomware has used API calls during execution.
Technique Title ID Use Valid Accounts T1078 Conti actors have been observed gaining unauthorized access to victim networks through stolen RDP credentials. External Remote Services T1133 Adversaries may leverage external-facing remote services to initially access and/or persist within a network. Remote services such as virtual private networks (VPNs), Citrix, and other access mechanisms allow users to connect to internal enterprise network resources from external locations. There are often remote service gateways that manage connections and credential authentication for these services. Services such as Windows Remote Management can also be used externally.
Technique Title ID Use Process Injection: Dynamic-link Library Injection T1055.001 Conti ransomware has loaded an encrypted dynamic-link library (DLL) into memory and then executes it.
Technique Title ID Use Obfuscated Files or Information T1027 Conti ransomware has encrypted DLLs and used obfuscation to hide Windows API calls. Process Injection: Dynamic-link Library Injection T1055.001 Conti ransomware has loaded an encrypted DLL into memory and then executes it. Deobfuscate/Decode Files or Information T1140 Conti ransomware has decrypted its payload using a hardcoded AES-256 key.
Technique Title ID Use Brute Force T1110 Conti actors use legitimate tools to maliciously scan for and brute force routers, cameras, and network-attached storage devices with web interfaces. Steal or Forge Kerberos Tickets: Kerberoasting T1558.003 Conti actors use Kerberos attacks to attempt to get the Admin hash. System Network Configuration Discovery T1016 Conti ransomware can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-internet systems. System Network Connections Discovery T1049 Conti ransomware can enumerate routine network connections from a compromised host. Process Discovery T1057 Conti ransomware can enumerate through all open processes to search for any that have the string sql in their process name. File and Directory Discovery T1083 Conti ransomware can discover files on a local system. Network Share Discovery T1135 Conti ransomware can enumerate remote open server message block (SMB) network shares using NetShareEnum().
Technique Title ID Use Remote Services: SMB/Windows Admin Shares T1021.002 Conti ransomware can spread via SMB and encrypts files on different hosts, potentially compromising an entire network. Taint Shared Content T1080 Conti ransomware can spread itself by infecting other remote machines via network shared drives.
Technique Title ID Use Data Encrypted for Impact T1486 Conti ransomware can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. Conti ransomware can use “Windows Restart Manager” to ensure files are unlocked and open for encryption. Service Stop T1489 Conti ransomware can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop. Inhibit System Recovery T1490 Conti ransomware can delete Windows Volume Shadow Copies using vssadmin.