Another #ContiLeaks 🧵This one should be smaller 😂 In the rocketchat logs, a channel "manuals_team_c" contained 16 procedures from reconnaissance to exfiltration. I translated (with the help of @sys6x) them, here they are: github.com/Res260/conti_2…
INITIAL ACTIONS
This one details the general ideas and the steps most cases will require. Reconnaissance using AD, enum shares, privesc, creds dumping using known techniques, etc. I found interesting that they inject a TLS listener. I wonder if it yields good results.
USEFUL COMMANDS
This one details how to take control of a host, presumably from the trickbot/bazar botnet console, and a lot of frequent commands. Those are small cmds, but we'll see that they have some longer cmds as well. Also mention the need to find the NAS to delete backups
WHAT KIND OF INFO
For the double extortion, conti looks for finance, accounting, clients information. The procedure details that they use rclone.exe to exfiltrate to mega (mega.nz). This contains good commands to watch for as defenders, but it's already late.
HOW TO JUMP THROUGH PAYLOAD SESSIONS
Many specific commands as well. One thing that I see a lot in these procedures is that they LOVE to write to the root of C:\ProgramData.
How to sort the collected AD data from the network
I am not quite sure what the scope of this procedure is. Is it supposed to be on an operator's machine or on the victim's machine?
Extract IPv4s
Simple procedure to extract IPv4 from a specific txt file. "res.txt" is mentionned in a later procedure. Very straightforward
Dump and exfiltrate NTDS

Another one with commands that could be watched by blue teams. The thing with procedures is that it allows the ransomware group to scale their operation easily, but it also introduces predictability that defenders can use. Dump NTDS.dit --> 7z --> exfil
Installing Metasploit on VPS

Pretty simple one, I could use it myself when I need to setup metasploit 🤠
Adding firewall rules
I'm not quite sure what's the point of changing the RDP port, but you do you conti
Access ShadowProtect (@StorageCraft) backups
One of my favourite, because it's very complete. You really feel that the person who wrote this gave a lot of effort in finding and deleting these backups 😂 It also goes to show their thinking process quite clearly.
Using Anydesk to maintain persistance
This one is a good example of "commands that will probably be reused as-is without bothering to change the account name and password" :)
Exfiltrate from database
A lot of MSSQL (I think?) commands to quickly figure out what kind of data we're dealing with, who uses the database, and exfiltrate the good stuff. Pretty well documented
Scraping users from AD
The documentation says that it's important to try to find admin accounts and machines, because it's an efficient way to find powerful accounts. Once again, the use of C:\ProgramData is a bit weird but I'll take bad opsec from conti any day of the week 🎉
This is how we ping hosts
The last one, I like it very much because of it's simplicity 🤗 p.bat is a file given by conti to operators. Also, here is the "res.txt" file I mentionned earlier. Please note that my twitter username has nothing to do with conti 😂
When writing this thread, I realised that these procedures, as well as the tools they mention, were leaked this summer. Have a read if you want! blog.cyble.com/2021/08/06/con…
There is a lot more documentation that was leaked, @vxunderground has a copy of it in russian here: share.vx-underground.org/Conti/Conti%20…

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Émilio Gonzalez @res260@infosec.exchange

Émilio Gonzalez @res260@infosec.exchange Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @res260

Mar 4, 2022
#ContiLeak 🧵! This time, management/developpers documentation 📄
CODING PRINCIPLES
Those are surprisingly good principles. "The wrong choice will grow in the code forever!" ✅✅✅✅✅ FACTS
GIT POLICY
Like all of us, they use git for all the good reasons :) Perhaps the most interesting thing is that they actually track issues in an "accounting system" with ticket numbers (3rd image). JIRA USERS REJOICE, IF CRIMINALS DO IT IT MUST BE USEFUL🎉🎉🎉🎉
Read 10 tweets
Feb 28, 2022
So, Conti chat logs were leaked, I got my hand on a google-translated version of it, I'll document what I found interesting 🧵
March 2021: They tried to get ahold of a @vmw_carbonblack license, detailing their roadblocks and options: Image
Conti "employees" are in fact employees and request days off and maintain non-profesionnal (or, to the very least, friendly) relationships with colleagues ImageImage
Read 72 tweets

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(