{ "id": "415f811e-e8bc-4fa0-95b7-19d0b66612a6", "created_at": "2026-04-06T00:17:43.273591Z", "updated_at": "2026-04-10T13:12:23.991753Z", "deleted_at": null, "sha1_hash": "10bcb9950d1add107237601c423ea848298a1788", "title": "Attack Graph Emulating the Conti Ransomware Team’s Behaviors", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1296063, "plain_text": "Attack Graph Emulating the Conti Ransomware Team’s Behaviors\r\nBy AttackIQ Adversary Research Team\r\nPublished: 2022-06-16 · Archived: 2026-04-05 23:51:26 UTC\r\nSectors targeted: healthcare; indiscriminate \r\nModern cybercriminal syndicates are complex organizations. They are often comprised of merged groups, some\r\nhave subsidiary organizations within them, they perform a diverse set of operations, and, in the case of Russia-based cybercriminals, often maintain a shadowy affiliation with the Russian government’s intelligence services.\r\nSince April 2017, the Russian-aligned Conti ransomware-as-a-service (RaaS) operation has been one of the most\r\naggressive and successful ransomware operations, compromising and extorting over 1,000 victims with payouts\r\nexceeding $150-180 million USD according to the FBI as of January 2022, leading them to deem it the costliest\r\nransomware strain ever documented. Other sources, however, put their take closer to $2.7B USD, depending on\r\ncrypto trading price volatility at various times and number of known wallets counted.\r\nOn May 19, 2022, the Conti operation officially disbanded, taking down key infrastructure and informing their\r\nteam leaders that the brand no longer existed. There were indications of a possible breakup beginning late 2021\r\nafter Conti’s acquisition of the TrickBot malware and operation team, the plans to swap TrickBot with the\r\nstealthier BazarBackdoor malware, and then the ransoming of the San Francisco 49’ers, publicly confirmed hours\r\nbefore the U.S. NFL Superbowl on February 13, 2022, but using the smaller BlackByte ransomware group as a\r\nshell to publicly process the breach on their behalf. Some of their former members have already migrated to these\r\nsmaller ransomware groups like Karakurt and BlackByte.\r\nDuring its run, the Conti operation experienced a total of three revenge-based leaks of various combinations of\r\nsource code, chat logs and technical manuals from insiders, with the last leak entangled in geopolitics surrounding\r\nRussia’s invasion of Ukraine. The second leak of source code, tools, post-compromise technical manuals and\r\ntraining manuals on August 5, 2021, is the one on which AttackIQ’s new attack graph is based due to the fidelity\r\nof information available from that leak, particularly in the post-compromise technical manuals used by the\r\nransomware operators. This attack graph emulates the actor’s full attack life cycle to help customers validate their\r\nsecurity posture against similar attacks.\r\nDespite its break-up, Conti’s successful post-compromise tactics, techniques, and procedures (TTPs) employed by\r\nthe group’s operators will live on as these criminal hackers splinter and join new groups, taking their same skills\r\nwith them and making it vital that organizations continue to be prepared to deal with intrusions using these\r\nplaybooks despite inevitable minor variations. Validating your security program performance against this type of\r\nattack is crucial in reducing risk by increasing resilience. By using this new attack graph in the AttackIQ Security\r\nOptimization Platform, security teams will be able to:\r\n1. Evaluate security control performance against attacks using techniques that have had significant real-world\r\nimpact.\r\n2. Assess security posture against the likely tactics used by Conti’s splinter cell groups.\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 1 of 10\n\n3. Continuously validate detection and prevention pipelines against activity that leads to destructive actions.\r\nAttack Graph Emulation of Conti Techniques\r\nFigure 1 – Conti Attack Graph \r\nConti ransomware operators would gain an initial foothold to victims from various initial access brokers (IABs)\r\nsuch as FIN12. Typically, this would start from spear-phishing campaigns that delivered TrickBot and IcedID. Our\r\nattack graph begins after the initial access has been achieved and the Conti actors are about to take hands-on-keyboard control of the compromise.\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 2 of 10\n\nThe actors’ first steps are to explore and learn more information about the initial host that has been compromised.\r\nConti runs a series of discovery techniques by using native system commands to live off the land and try to not\r\ndraw additional attention.\r\nFigure 2 – Discovery \r\nSystem Information Discovery (T1082): Execute native commands like “systeminfo” or “lshw” to learn about\r\nthe system confirmations.\r\nSystem Owner / User Discovery (T1033): Live off the land by running “whoami” and “users” to gain details\r\nabout the currently available accounts and permission groups.\r\nAccount Discovery – Local Account (T1087.001): On Microsoft Windows hosts use the “net localgroup\r\nadministrators” command to identify any local administrator accounts.\r\nSystem Network Configuration Discovery (T1016): Run built-in tools and commands to get routing, network\r\nadapter, network shares, and connected domain controller information.\r\nRemote System Discovery (T1018): Search for other domain computers using the “net group” command. If the\r\nactivity is prevented, downloading and leveraging the Adfind utility is attempted. Due to licensing and distribution\r\nissues, the “Remote System Discovery Using AdFind” Scenario will need to be manually configured with a\r\nlocally uploaded “AdFind” binary. This binary can be found and downloaded here at the “Download” portion of\r\nthe page.\r\nPassword Policy Discovery (T1201): Conti will want to understand the local and domain password requirements\r\nto help validate potential stolen or harvested credentials.\r\nNetwork Share Discovery (T1135): The threat actors leverage the Invoke-ShareFinder cmdlet from Veil-PowerView to identify remote network shares that could contain files of interest.\r\nAfter completing the discovery phase of their attack, Conti will move on to gaining access to more credentials.\r\nThey use a variety of techniques to gain not only other local accounts but remote and service accounts that will\r\nallow them to move laterally.\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 3 of 10\n\nFigure 3 – Credential Access \r\nSteal or Forge Kerberos Tickets – Kerberoasting (T1558.003): Kerberoasting allows an attacker to attempt to\r\nextract password hashes for accounts using their Service Principal Name (SPN) ticket. The attack graph first tries\r\nusing the Invoke-Kerberoast PowerShell cmdlet and if prevented tries using Rubeus.\r\nOS Credential Dumping (T1003): Conti leveraged Mimikatz to dump credentials on Windows hosts.\r\nOS Credential Dumping – LSASS Memory (T1003.001): The Local Security Authority Subsystem Service\r\n(LSASS) has credentials in its memory. The process address space is dumped to a minidump and then Mimikatz is\r\nused to extract credentials.\r\nOS Credential Dumping – DCSync (T1003.006): Mimikatz is able to impersonate a Domain Controller and\r\nrequest password with domain replication.\r\nUnsecured Credentials – Group Policy Preference (T1552.006): Group Policy Preference XML files contain\r\nencrypted credentials for creating local accounts or mapping network drives. These files can be collected from\r\ndomain connected computers and the credentials harvested for the local accounts.\r\nArmed with additional credentials, the Conti ransomware operators will begin moving laterally to identify and\r\nfind additional targets of interest.\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 4 of 10\n\nFigure 4 – Lateral Movement \r\nPass the Hash (T1550.002): Using the hashed credentials obtained in the previous attack phase, they can be used\r\nto authentication via NTLM to other enterprise resources.\r\nExploitation of Remote Services (T1210): Using ZeroLogon Conti can easily impersonate any domain computer\r\nand take control of the domain admin account when used against vulnerable domain controllers.\r\nBrute Force (T1110): When all else fails, attempt to brute login using RDP to remote systems with a username\r\nand password dictionary.\r\nAfter gaining access to more of the victim’s network the actor is going to want to disable or circumvent security\r\ncontrols to make future actions easier and harder to detect and prevent.\r\nFigure 5 – Defense Evasion\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 5 of 10\n\nDisable or Modify Tools (T1562.001): The actor uses PowerShell to disable Windows Defender.\r\nDisable or Modify System Firewall (T1562.004): The local host firewall is configured to allow for incoming\r\nRDP connections so the actors can move away from interacting with their backdoor and begin using the native\r\nWindows functionality.\r\nConti will begin establishing alternative persistence mechanisms across many of the compromised hosts to\r\ndecrease the likelihood that the victim organization will be able to quickly remediate their access. The actor uses a\r\nvariety of methods and tries alternatives until successful. These methods are used to maintain access to their\r\nbackdoors or ensure that the encryption process continues to run even after interruption.\r\nFigure 6 – Persistence\r\nCreate Local Account (T1136): Conti will create a new account to side-step any enterprise password resets for\r\nknown legitimate accounts.\r\nRegistry Run Keys (T1547.001): Windows has many registry keys that identify applications or commands to be\r\nrun at startup.\r\nScheduled Task / Job – At (T1053.002): The “at” command is used to create a scheduled that can re-launch\r\nConti’s malware periodically or after a restart.\r\nWindows Service (T1543.003): Conti creates new Windows services to re-launch their backdoors after a restart.\r\nEvent Triggered Execution – Accessibility Features (T1546.008): Set the debugger for the Sticky Keys helper\r\napplication to launch a command shell when a user accidentally hits the shift key too many times in a row or if the\r\naccessibility feature has been enabled.\r\nEvent Triggered Execution – AppInit DLLs (T1546.010): By creating an AppInitDLL entry in the registry,\r\nConti ensures their malicious DLL file is loaded into every process as boot.\r\nWindows Management Instrumentation (T1047): WMI can be used to launch an executable or command when\r\na common event consumer is trigger.\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 6 of 10\n\nModify Authentication Process – Password Filter DLL (T1556.002): Microsoft allows for password filters to\r\nbe configured for domain and local accounts that enable stricter password policies. By installing their own\r\npassword filter Conti is able to receive the plain text passwords for accounts from the Local Security Authority\r\n(LSA).\r\nWinlogon Helper DLL (T1547.004): Conti configures registry keys that force malicious DLL files to be loaded\r\nwith the Winlogon.exe process.\r\nNetsh Helper DLL (T1546.007): Netshell (netsh) is a command line tool that facilitates interactions with a\r\nsystem’s network configurations. It can be configured via registry entries to load malicious DLL files every time\r\n“netsh.exe” is executed.\r\nAt this point Conti has everything they need to complete their goal and begin encrypting the hosts.\r\nFigure 7 – Encryption\r\nIngress Tool Transfer (T1105): Download and save samples of the actor’s Conti ransomware malware to disk.\r\nData Encrypted for Impact (T1486): AttackIQ has replicated the functionality used by the Conti ransomware to\r\nencrypt files on the targeted hosts. This includes the common file extensions and encryption methods utilized by\r\nthe actor.\r\nDetection and Mitigation Opportunities \r\nWith so many different techniques being utilized by threat actors, it can be difficult to know which to prioritize for\r\nprevention and detection opportunities. AttackIQ recommends first focusing on the following techniques emulated\r\nin the Conti attack graph before moving on to the remaining techniques.\r\n1. Ransomware Encryption. It should go without saying that as a last resort, preventing your systems and files\r\nfrom being encrypted should be your number one focus. Ensuring that you have the layered endpoint defenses\r\nincluding Antivirus and EDR solutions is critical.\r\n1A. Detection Process \r\nRansomware attacks are best prevented and alerted by your EDR/AV Policies. Typically, a configuration for\r\nransomware protection is presented and we strongly encourage that it is enabled in your security controls. There\r\nare three telling signs of ransomware activity in an environment that you could query for and possibly make\r\npreventative detections if your security controls allow. Those three are deletion of shadow volumes, suspicious\r\namounts of exfiltrated data, and of course, wide set file encryption.\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 7 of 10\n\nDetecting deletion of shadow volumes:\r\nVia vssadmin.exe:\r\nProcess Name == (cmd.exe OR powershell.exe)\r\nCommand Line CONTAINS (“vssadmin” AND “Delete Shadows”)\r\nVia vssadmin.exe:\r\nProcess Name == powershell.exe\r\nCommand Line == “Get-WmiObject Win32_Shadowcopy | ForEach-Object ($_.Delete();)”\r\nDetecting suspicious Data Exfiltration:\r\nDetecting exfiltration is well suited for IDS/IPS and DLP solutions. These products should be configured to\r\nidentify sensitive files. If sensitive files, or a large amount of web traffic is sent to a rare external IP, it should be\r\ndetected or prevented depending on security policies for the security control. Historical NetFlow data logging can\r\nalso bubble up hosts that are experience uncommon peaks in outgoing traffic.\r\nDetecting Ransomware-like File Encryption:\r\nUtilizing an EDR or SIEM/SOAR product can help detect and prevent suspicious file encryption related to\r\nransomware attacks. Utilizing these tools to look for excessive file modifications (greater than 1000 on a system)\r\nwithin less than a minute of time is a good starting indicator. To increase the fidelity a bit, you could include file\r\nmodification file extension to popular ransomware extensions such as .conti, .Locky, .Ryuk, etc. If possible, with a\r\nSOAR or preventative EDR platform, we recommend setting these detections to kill all processes involved in\r\ncreating the alert as it will most likely stop the spread of the Ransomware.\r\n1b. Mitigation Policies \r\nMITRE recommends the following mitigations for Data Encrypted for Impact (T1486):\r\nM1040 – Behavior Protection on Endpoint\r\nM1053 – Data Backup\r\n2. Common Persistence Mechanisms\r\nSimilar to our recommendation in the Karakurt Data Extortion blog, being able to stop an actor from creating\r\nadditional hooks into your environment is critical in ensuring that their access can be fully removed during your\r\ninitial remediation processes.\r\nFocusing on the most common persistence mechanism like Windows Service (T1543.003), Registry Run Keys\r\n(T1547.001), and Scheduled Tasks (T1053.002) should be your first targets for prevention and detection.\r\n2a. Detection Process \r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 8 of 10\n\nDetecting Windows Services Persistence: \r\nProcess Name == (cmd.exe or powershell.exe)\r\nCommand Line CONTAINS ((‘sc’ or ‘sc.exe’) AND ‘create’ AND ‘binpath=”\u003cpath to trusted executable\u003e”’\r\nAND start=”auto”)\r\nDetecting Registry Run Keys Persistence: \r\nProcess Name == (cmd.exe or powershell.exe)\r\nUser NOT IN \u003clist of expected reg.exe users\u003e\r\nCommand Line CONTAINS((reg or reg.exe) AND  (“HKEY_CURRENT_USER” OR\r\n“KEY_CURRENT_MACHINE”) AND “\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\” AND (“run” OR\r\n“runonce”))\r\nDetecting Scheduled Tasks Persistence: \r\nProcess Name == (cmd.exe OR powershell.exe)\r\nCommand Line CONTAINS (“schtasks” AND “/create” AND (“cmd” OR powershell”) AND (“.exe” OR “.bat”) AND\r\n“/ru system”)\r\n2b. Mitigation Policies \r\nMITRE recommends the following mitigations for Create or Modify System Process: Windows Service\r\n(T1543.003):\r\nM1040 – Behavior Protection on Endpoint\r\nM1026 – Privileged Account Management\r\nM1022 – Restrict File and Directory Permissions\r\nM1018 – User Account Management\r\nM1047 – Audit\r\nRecommendations for mitigation of Boot or Logon Auto-start Execution: Registry Run Keys/Startup\r\nFolder (T1547.001): \r\nIt is recommended that only administrators and end users with a specific need be able to run administrative tools\r\nsuch as cmd.exe, powershell.exe, reg.exe, and regedit.exe. Limiting these tools to only authorized users greatly\r\nreduce the chance of a compromised end user being able to modify the registry for persistence.\r\nMITRE recommends the following mitigations for Scheduled Task/job: At (T1053.002):\r\nM1047 – Audit\r\nM1028 – Operating System Configuration\r\nM1026 – Privileged Account Management\r\nM1018 – User Account Management\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 9 of 10\n\nMultiple Native Discovery Commands\r\nOne of the very first things that most actors will do when first gaining access to a compromised host is use the\r\nnative tools and commands available in the operating system to learn more about the host and its connected\r\nnetwork. By using built-in functional the actor will blend in with legitimate user traffic. The trick is to look for the\r\nseries of different discovery commands being executed in short time windows.\r\nMultiple commands in time windows can be an initial suspicious indicator that an actor may have an established a\r\nfoot hold and can be used to increase the fidelity of future additional suspicious activities that are observed from a\r\nsingle host.\r\n3a. Detection Process \r\nWith an EDR or SIEM product, you could easily detect when administrative commands are run by non-authorized\r\n/ expected users:\r\nProcess name == (“cmd.exe” OR “powershell.exe”)\r\nUser NOT IN (\u003clist of expected administrators and power users\u003e)\r\nCommand Line CONTAINS (“systeminfo” OR “whoami” OR “net users” or “net localgroup Administrators” OR\r\n“route print” OR “ipconfig /all” OR “arp -a” OR “wmic ntdomain” OR “wmic netuse” OR “wmic nicconfig” OR\r\n“Get-ADComputer” OR “net accounts” OR “Invoke-ShareFinder”)\r\n3b. Mitigation Policies \r\nIt is recommended that only administrators and end users with a specific need be able to run administrative tools\r\nsuch as cmd, powershell, net, and wmic, systeminfo, arp, or route. Limiting these tools to only authorized users\r\ngreatly reduces the chance of a compromised end user being able to enumerate system and environmental settings.\r\nConclusion\r\nIn summary, this attack graph will evaluate security and incident response processes and support the improvement\r\nof your security control posture against an actor with focused operations to encrypt your systems and data. With\r\ndata generated from continuous testing and use of this attack graph, you can focus your teams on achieving key\r\nsecurity outcomes, adjust your security controls, and work to elevate your total security program effectiveness\r\nagainst a known and dangerous threat.\r\nAttackIQ stands at the ready to help security teams implement this attack graph and other aspects of the AttackIQ\r\nSecurity Optimization Platform, including through our co-managed security service, AttackIQ Vanguard.\r\nSource: https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nhttps://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://attackiq.com/2022/06/15/attack-graph-emulating-the-conti-ransomware-teams-behaviors/" ], "report_names": [ "attack-graph-emulating-the-conti-ransomware-teams-behaviors" ], "threat_actors": [ { "id": "6ad410c7-e291-4327-a54b-281c23f0d4fa", "created_at": "2022-10-25T16:07:24.501468Z", "updated_at": "2026-04-10T02:00:05.013427Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Mushy Scorpius" ], "source_name": "ETDA:Karakurt", "tools": [ "7-Zip", "Agentemis", "AnyDesk", "Cobalt Strike", "CobaltStrike", "FileZilla", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "WinZip", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "2af9bea3-b43e-4a6d-8dc6-46dad6e3ff24", "created_at": "2022-10-25T16:47:55.853415Z", "updated_at": "2026-04-10T02:00:03.856263Z", "deleted_at": null, "main_name": "GOLD TOMAHAWK", "aliases": [ "Karakurt", "Karakurt Lair", "Karakurt Team" ], "source_name": "Secureworks:GOLD TOMAHAWK", "tools": [ "7-Zip", "AnyDesk", "Mega", "QuickPacket", "Rclone", "SendGB" ], "source_id": "Secureworks", "reports": null }, { "id": "079e3d6e-24ef-42b0-b555-75c288f9efd8", "created_at": "2023-03-04T02:01:54.105946Z", "updated_at": "2026-04-10T02:00:03.359009Z", "deleted_at": null, "main_name": "Karakurt", "aliases": [ "Karakurt Lair" ], "source_name": "MISPGALAXY:Karakurt", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "a2d3f35f-3b29-4509-bff5-af2638140d39", "created_at": "2022-10-25T16:07:23.633982Z", "updated_at": "2026-04-10T02:00:04.695802Z", "deleted_at": null, "main_name": "FIN12", "aliases": [], "source_name": "ETDA:FIN12", "tools": [ "Agentemis", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "KEGTAP", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434663, "ts_updated_at": 1775826743, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/10bcb9950d1add107237601c423ea848298a1788.pdf", "text": "https://archive.orkl.eu/10bcb9950d1add107237601c423ea848298a1788.txt", "img": "https://archive.orkl.eu/10bcb9950d1add107237601c423ea848298a1788.jpg" } }