TTP Tuesday: Conti (Release 1)

Recon and Initial Access

Jan 11, 2022

Theme Overview

11 January 2022

We are kicking off a new theme this week focusing on Conti ransomware. We have released some Conti TTPs previously, but plan to expand it to include an entire adversary attack from beginning to end. The Conti theme will contain the following kill-chains:

Recon and Initial Access (Current Release)
Local and Remote Discovery
Gain privileges and persist
Move to remote systems
Data collection and exfiltration
Deploy ransomware

Recon and Initial Access

Conti is considered Ransomware-as-a-Service (RaaS) and has an elaborate chain of events from initial access to execution of the ransomware. For this week, we are focusing on the initial access. Conti tends to use three methods to gain initial access; spearphishing, weak RDP credentials, and search engine promoted application installs. We are specifically focusing on spearphishing to gain initial access. In this chain, we use Pneuma agent as a stager then open both a phishing email and malicious PDF which will execute Jambi as our Conti agent moving forward.

Check it out on the Prelude chains website.

Watch a demonstration:

Next week, we will be releasing the next step in the Conti adversary, local and remote discovery.

Staying up to date

Thanks for reading our first, new TTP Tuesday release! Please subscribe and reach out with any feedback. We love to hear from our community!

There are several ways to follow us and learn more about Prelude and our team members:

Get our products

Download Prelude Operator: https://www.prelude.org/download
See the latest kill chain and TTP Releases: https://chains.prelude.org/
See our open-source repositories: https://github.com/preludeorg

f33d by Prelude

TTP Tuesday: Conti (Release 1)

Recon and Initial Access

Theme Overview

11 January 2022

Recon and Initial Access

Staying up to date

Get our products

Join our community

Read, watch, and listen

Follow our team