Conti TTPs using Atomic Red Team and Detection Lab & C2 Infrastructure Hunting

Michael Koczwara
7 min readAug 26, 2021

Agenda

  • Conti C2 Infrastructure Analysis (Cobalt Strike and Metasploit).
  • Conti TTPs in Assumed Breach Scenario.
  • Adversary Emulation (Conti TTPs) using Atomic Red Team and Detection Lab (T1033.001: Credential Dumping: LSASS Memory).
  • Summary and things to consider.

Conti C2 Infrastructure Analysis (Cobalt Strike and Metasploit)

Most of the Conti C2 (other threat actors as well) infrastructure is/was widely exposed on the Internet and could be identified before the attacks happen. This is because the adversaries have either limited knowledge about Opsec, don’t really care about being spotted, or don’t have enough time to spend on hardening C2 infrastructure.

After the Conti leak, I scanned the subnets of 162.244.80.1/24, and I managed to identify other possibly related to the group Cobalt Strike C2 infrastructure with almost identical server patterns and beacon configs (rundll32.exe, dllhost.exe, jQuery, subnets, open ports, etc).

We can see at least two patterns in the spreadsheet below (jQuery Malleable profiles and subnets).

Obviously, adversaries can use any other Malleable profiles so jQuery should not be attributed only to the Conti group. However, I found the pattern quite interesting.

Conti Cobalt Strike C2 beacon configs example:

HTTP/1.1  404 Not Found
Server: Apache
Content-Length: 0
Keep-Alive…

--

--