Deep-dive analysis, threat hunting, active response
Conti Ransomware ATT&CK Signatures: 1. Initial access: phishing, remote desktop exploit, unpatched systems. 2. Execution: Windows command line; API calls 3. Persistence: stolen account creds; external connections (e.g., VPN or Citrix). 4. Privilege escalation: Encrypted DLL injection 5. Defense evasion: encryption; obfuscation 6. Credential Access: Mimikatz or other 7. Discovery: enumerates network connections; retrieves ARP cache 8. Lateral movement: taints network shared drives; spreads via SMB 9. C&C: hard-coded IPs via HTTP. 10. Collection & exfil: 7Zip & WinSCP to cloud. 11. Impact: AES-256-bit encryption 12. Impact: stops 146 Windows services related to security, backups using net stop . 13. Impact: deletes Windows Volume Shadow Copies using vssadmin .
MITRE ATT&CK Framework/ Cyber Kill Chain
15
Made with FlippingBook - Online catalogs