conti

T1078.002Valid Accounts: Domain Accounts

Use of credentials purchased via Initial Access Brokers or harvested through prior compromises.

T1190Exploit Public-Facing Application

Exploitation of Log4Shell (CVE-2021-44228), ProxyShell, and Fortinet vulnerabilities to gain initial access to victim networks.

T1566.001Phishing: Spearphishing Attachment

Conti extensively uses BazarLoader and TrickBot delivered via spear-phishing emails with malicious Office document attachments containing macros.

T1047Windows Management Instrumentation

WMI leveraged for remote command execution across victim infrastructure.

T1059.001Command and Scripting Interpreter: PowerShell

PowerShell used extensively for payload deployment, Cobalt Strike beacon staging, and post-exploitation activity.

T1136.002Create Account: Domain Account

New domain accounts created for persistent access and to facilitate lateral movement with elevated privileges.

T1547.001Boot or Logon Autostart Execution: Registry Run Keys

Registry Run keys used to maintain persistence of backdoor tools across reboots.

T1068Exploitation for Privilege Escalation

Exploitation of PrintNightmare (CVE-2021-34527) and ZeroLogon (CVE-2020-1472) to escalate to SYSTEM or Domain Admin.

T1218.011Signed Binary Proxy Execution: Rundll32

Rundll32 used to execute malicious DLLs and evade application control.

T1562.001Disable or Modify Tools

Windows Defender, AV products, and EDR tools disabled via PowerShell, registry modification, or Group Policy Objects.

T1003.001OS Credential Dumping: LSASS Memory

Mimikatz used to dump LSASS memory for credential harvesting across compromised hosts.

T1003.003OS Credential Dumping: NTDS

Active Directory NTDS.dit extracted to obtain all domain account password hashes.

T1046Network Service Discovery

Network scanning using Nmap, SoftPerfect Network Scanner, and custom scripts to enumerate the internal network.

T1482Domain Trust Discovery

BloodHound used to enumerate Active Directory and identify attack paths to high-value targets.

T1021.001Remote Services: Remote Desktop Protocol

RDP used for lateral movement using harvested credentials across the victim network.

T1021.002Remote Services: SMB/Windows Admin Shares

PsExec used to deploy Cobalt Strike beacons and the ransomware payload across the network.

T1005Data from Local System

Sensitive documents, financial records, and PII collected from compromised hosts prior to encryption.

T1560.001Archive Collected Data: Archive via Utility

7-Zip used to compress and archive stolen data for exfiltration.

T1567.002Exfiltration Over Web Service: Exfiltration to Cloud Storage

Rclone used to exfiltrate stolen data to MEGA and other cloud storage providers as part of the double extortion model.

T1071.001Application Layer Protocol: Web Protocols

Cobalt Strike beacons communicate via HTTPS to actor-controlled team servers for C2 operations.

T1219Remote Access Software

AnyDesk and Atera agent installed as persistent backdoors for remote access.

T1486Data Encrypted for Impact

Conti ransomware uses ChaCha20 for file encryption with RSA-4096 for key protection. Multi-threaded encryption leverages up to 32 simultaneous threads for rapid encryption. Operates as RaaS.

T1490Inhibit System Recovery

Volume Shadow Copies deleted via vssadmin and wmic; Windows Backup Catalog deleted; recovery mode disabled via bcdedit.