Émilio Gonzalez @res260@infosec.exchange Profile picture
Cybersecurity blue team analyst with a strong interest in DFIR, red teaming, Windows, automating stuff and urbanism. YIMBY. Mastodon: @res260@infosec.exchange

Mar 3, 2022, 17 tweets

Another #ContiLeaks 🧵This one should be smaller 😂 In the rocketchat logs, a channel "manuals_team_c" contained 16 procedures from reconnaissance to exfiltration. I translated (with the help of @sys6x) them, here they are: github.com/Res260/conti_2…

INITIAL ACTIONS
This one details the general ideas and the steps most cases will require. Reconnaissance using AD, enum shares, privesc, creds dumping using known techniques, etc. I found interesting that they inject a TLS listener. I wonder if it yields good results.

USEFUL COMMANDS
This one details how to take control of a host, presumably from the trickbot/bazar botnet console, and a lot of frequent commands. Those are small cmds, but we'll see that they have some longer cmds as well. Also mention the need to find the NAS to delete backups

WHAT KIND OF INFO
For the double extortion, conti looks for finance, accounting, clients information. The procedure details that they use rclone.exe to exfiltrate to mega (mega.nz). This contains good commands to watch for as defenders, but it's already late.

HOW TO JUMP THROUGH PAYLOAD SESSIONS
Many specific commands as well. One thing that I see a lot in these procedures is that they LOVE to write to the root of C:\ProgramData.

How to sort the collected AD data from the network
I am not quite sure what the scope of this procedure is. Is it supposed to be on an operator's machine or on the victim's machine?

Extract IPv4s
Simple procedure to extract IPv4 from a specific txt file. "res.txt" is mentionned in a later procedure. Very straightforward

Dump and exfiltrate NTDS

Another one with commands that could be watched by blue teams. The thing with procedures is that it allows the ransomware group to scale their operation easily, but it also introduces predictability that defenders can use. Dump NTDS.dit --> 7z --> exfil

Installing Metasploit on VPS

Pretty simple one, I could use it myself when I need to setup metasploit 🤠

Adding firewall rules
I'm not quite sure what's the point of changing the RDP port, but you do you conti

Access ShadowProtect (@StorageCraft) backups
One of my favourite, because it's very complete. You really feel that the person who wrote this gave a lot of effort in finding and deleting these backups 😂 It also goes to show their thinking process quite clearly.

Using Anydesk to maintain persistance
This one is a good example of "commands that will probably be reused as-is without bothering to change the account name and password" :)

Exfiltrate from database
A lot of MSSQL (I think?) commands to quickly figure out what kind of data we're dealing with, who uses the database, and exfiltrate the good stuff. Pretty well documented

Scraping users from AD
The documentation says that it's important to try to find admin accounts and machines, because it's an efficient way to find powerful accounts. Once again, the use of C:\ProgramData is a bit weird but I'll take bad opsec from conti any day of the week 🎉

This is how we ping hosts
The last one, I like it very much because of it's simplicity 🤗 p.bat is a file given by conti to operators. Also, here is the "res.txt" file I mentionned earlier. Please note that my twitter username has nothing to do with conti 😂

When writing this thread, I realised that these procedures, as well as the tools they mention, were leaked this summer. Have a read if you want! blog.cyble.com/2021/08/06/con…

There is a lot more documentation that was leaked, @vxunderground has a copy of it in russian here: share.vx-underground.org/Conti/Conti%20…

Share this Scrolly Tale with your friends.

A Scrolly Tale is a new way to read Twitter threads with a more visually immersive experience.
Discover more beautiful Scrolly Tales like this.

Keep scrolling