TTP Tuesday: Conti (Release 4)

Move to remote systems

Feb 03, 2022

Theme Overview

1 February 2022

We're releasing the fourth installment of our Conti ransomware theme with new TTPs focused on Windows lateral-movement using live off the land techniques. To date, our Conti theme now contains the following kill-chains:

Recon and Initial Access
Local and Remote Discovery
Gain privileges and persist
Move to remote systems (Current Release)
Data collection and exfiltration
Deploy ransomware

Move To Remote Systems

This chain performs lateral movement within the domain. First, we check for all hosts on the domain. After selecting a target, we then enable access to the target's storage resources. We then move the agent executable from our current host to the target host. Finally, we execute the agent on the target host performing lateral movement within the domain. This chain does have a user custom fact for the target host information which you can provide in the facts section, or you can modify the TTP itself removing #{target.host} and providing the information manually.

Check it out on the Prelude chains website.

Watch a demonstration:

We have 2 more weeks to go in our Conti theme providing you with an entire Conti adversary attack from beginning to end.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

f33d by Prelude

Discussion about this post