|Initial Access||Execution||Persistence||Privilege Escalation||Credential Access||Lateral Movement||Defense Evasion||Command and Control||Exfiltration||Impact|
T1566 - Phishing
T1190 - Exploit public-facing application
T1106 - Execution through API
T1059.003 - Command and scripting interpreter: Windows command shell
T1047 - Windows Management Instrumentation
T1204 - User execution
T1053.005 - Scheduled task/job: scheduled task
T1053.005 - Scheduled task/job: Scheduled task
T1078.002 - Valid accounts: domain accounts
T1083 - File and directory discovery
T1018 - Remote system discovery
T1057 - Process discovery
T1016 - System network configuration discovery
T1069.002 - Permission groups discovery: domain groups
T1082 - System information discovery
T1033 - System owner/user discovery
T1012 - Query registry
T1063 - Security software discovery
T1003 - OS credential dumping
T1555 - Credentials from password stores
T1552 - Unsecured credentials
T1570 - Lateral tool transfer
T1021.002 - Remote services: SMB/Windows admin shares
T1562.001 - Impair defenses: disable or modify tools
T1140 - Deobfuscate/Decode files or information
T1055 - Process injection
T1071 - Application Layer Protocol
T1219 - Remote access software
T1567.002 - Exfiltration over web service: exfiltration to cloud storage
T1486 - Data encrypted for impact
T1489 - Service stop
T1490 - Inhibit system recovery
Security teams can watch out for the presence of the following malware tools, and exploits that are typically used in Conti attacks:
|Initial Entry||Execution||Discovery||Privilege Escalation||Credential Access||Lateral Movement||Defense Evasion||Exfiltration||Command and Control|
To help defend systems against similar threats, organizations can establish security frameworks, which can allocate resources systematically for establishing a solid defense against ransomware.
Here are some best practices that can be included in these frameworks:
A multilayered approach can help organizations guard the possible entry points into the system (endpoint, email, web, and network). Security solutions can detect malicious components and suspicious behavior could help protect enterprises.
The IOCs for this article can be found here.
Actual indicators might vary per attack.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.