f33d by Prelude

Share this post
TTP Tuesday: Conti (Release 4)
feed.prelude.org

TTP Tuesday: Conti (Release 4)

Move to remote systems

Kristopher Willis (Xanthonus)
Feb 3
Comment
Share

Theme Overview

1 February 2022

We're releasing the fourth installment of our Conti ransomware theme with new TTPs focused on Windows lateral-movement using live off the land techniques. To date, our Conti theme now contains the following kill-chains:

  1. Recon and Initial Access

  2. Local and Remote Discovery

  3. Gain privileges and persist

  4. Move to remote systems (Current Release)

  5. Data collection and exfiltration

  6. Deploy ransomware

Move To Remote Systems

This chain performs lateral movement within the domain. First, we check for all hosts on the domain. After selecting a target, we then enable access to the target's storage resources. We then move the agent executable from our current host to the target host. Finally, we execute the agent on the target host performing lateral movement within the domain. This chain does have a user custom fact for the target host information which you can provide in the facts section, or you can modify the TTP itself removing #{target.host} and providing the information manually.

Check it out on the Prelude chains website.

Watch a demonstration:

We have 2 more weeks to go in our Conti theme providing you with an entire Conti adversary attack from beginning to end.

Staying up to date

Thanks for reading our latest TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download/current
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

Join our community

Discord: https://discord.gg/gzUv4XNquu
Reddit: https://www.reddit.com/r/preludeorg/
Twitter: https://twitter.com/preludeorg

Read, watch, and listen

Listen to our Podcast: https://anchor.fm/preludeorg
Read our blog: https://feed.prelude.org
Watch our live streams: https://www.twitch.tv/preludeorg
Watch our pre-recorded content: https://www.youtube.com/channel/UCZyx-PDZ_k7Vuzyqr4-qK9A

Follow our team

David: https://twitter.com/privateducky
Alex: https://twitter.com/khyberspache
Kris: https://twitter.com/Xanthonus
Octavia: https://twitter.com/VV_X_7
Sam: https://twitter.com/wasupwithuman

CommentComment
ShareShare

Create your profile

0 subscriptions will be displayed on your profile (edit)

Skip for now

Only paid subscribers can comment on this post

Already a paid subscriber? Sign in

Check your email

For your security, we need to re-authenticate you.

Click the link we sent to , or click here to sign in.

TopNewCommunity

No posts

Ready for more?

© 2022 Prelude Research, Inc.
Privacy ∙ Terms ∙ Collection notice
Publish on Substack Get the app
Substack is the home for great writing