Conti TTPs using Atomic Red Team and Detection Lab & C2 Infrastructure Hunting

Agenda

• Conti C2 Infrastructure Analysis (Cobalt Strike and Metasploit).
• Conti TTPs in Assumed Breach Scenario.
• Adversary Emulation (Conti TTPs) using Atomic Red Team and Detection Lab (T1033.001: Credential Dumping: LSASS Memory).
• Summary and things to consider.

Conti C2 Infrastructure Analysis (Cobalt Strike and Metasploit)

Most of the Conti C2 (other threat actors as well) infrastructure is/was widely exposed on the Internet and could be identified before the attacks happen. This is because the adversaries have either limited knowledge about Opsec, don’t really care about being spotted, or don’t have enough time to spend on hardening C2 infrastructure.

After the Conti leak, I scanned the subnets of 162.244.80.1/24, and I managed to identify other possibly related to the group Cobalt Strike C2 infrastructure with almost identical server patterns and beacon configs (rundll32.exe, dllhost.exe, jQuery, subnets, open ports, etc).

We can see at least two patterns in the spreadsheet below (jQuery Malleable profiles and subnets).