{ "id": "ea2b9004-6f07-4d69-a899-2649ede8effe", "created_at": "2026-04-06T00:09:59.394189Z", "updated_at": "2026-04-10T03:24:23.908484Z", "deleted_at": null, "sha1_hash": "8e2671733f04578bef10c5231212d6c57e970859", "title": "Analysis of Leaked Conti Intrusion Procedures by eSentire’s Threat Response Unit (TRU)", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2623298, "plain_text": "Analysis of Leaked Conti Intrusion Procedures by eSentire’s\r\nThreat Response Unit (TRU)\r\nBy eSentire Threat Response Unit (TRU)\r\nArchived: 2026-04-05 13:32:25 UTC\r\nAs defenders, often our only insight into an adversary’s tradecraft is gleaned through an analysis of intrusion\r\nartifacts following an incident. The recent leak of Conti and Trickbot materials offers a glimpse into how the\r\ngroup infiltrated and took control of networks in extortion attacks. While the leaked manual and forum are from\r\nearly to mid-2021, they offer a snapshot of how the group trained and conducted their intrusions. The Conti team\r\nlikely maintains similar, up-to-date manuals, and knowledge base articles.\r\nKey Takeaways:\r\nThere is a heavy reliance on Offensive Security Tooling (OST) such as Cobalt Strike, Mimikatz,\r\nPowerview, and known attack techniques throughout the intrusion phases.\r\nDual-use tools such as 7zip, AnyDesk, Rclone, and living-off-the-land Windows utilities have been used to\r\nreduce exposure.\r\nTooling is augmented with using scripts to facilitate deployment and use. For example, Cobalt Strike is\r\naugmented with using known resources like C2Concealer and scripts compiled from public research.\r\nFigure 1 Forum post recommending various penetration testing utilities.\r\nBackground\r\nOn February 27, 2022, a Twitter account named “ContiLeaks” began posting chat logs showing private\r\ncommunications between Conti members. These logs spanned between January 2021 and February 2022 and\r\ncontained thousands of messages between alleged Conti members. Following this, the ContiLeaks account\r\npublished additional chat logs from June 2020 to November 2020, an extract of a trickconti-forum, Rocketchat\r\nlogs, and Trickbot and Conti software components among other materials.\r\nOur Threat Response Unit (TRU), Journalists and researchers have dug through the chat logs and identified key\r\nplayers and organizational structure. The group operates like a structured organization, with team leaders and\r\ndepartments responsible for hiring talent, research \u0026 development, training, and conducting “penetration tests”.\r\nBesides the chat logs, our attention was drawn to intrusion procedures in the form of manuals and knowledge base\r\narticles. Like a legitimate organization, Conti maintains reference material for ensuring work is done consistently\r\nand up to standards.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 1 of 14\n\nFigure 2 Excerpt from leaked Rocketchat logs making a case for a centralized knowledge base.\r\nTwo sources for intrusion procedures have been identified thus far:\r\n\"manual_teams_c\"\r\nTaken from leaked Rocketchat logs from May 2021, helpfully extracted and published by Émilio Gonzalez.\r\nAnalysis of the files extracted from the Rocketchat logs showed overlap with the leaked Conti Playbook\r\nfrom August 2021\r\n“trickconti-forum”\r\nPosted by Twitter user ContiLeak on March 1st, 2022 without context.\r\nForum containing 51 text files of how-to guides for attack procedures and intrusion methods, organized\r\ninto kill chain phases.\r\nUser “Rozetka”, who is identified as a team lead in the leaked Rocketchat logs, is mentioned heavily\r\nthroughout the forum posts.\r\nMost posts were dated February-March 2021.\r\nFigure 3 August 2020 Rocketchat discussion about team composition and responsibilities.\r\nAdditionally, the forum is mentioned several times in leaked Rocketchat logs.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 2 of 14\n\nFigure 4 Rocketchat discussion for\r\n\"trickconti\" forum.\r\nBreakdown by Intrusion Phase\r\nReconnaissance\r\nDuring Reconnaissance, threat actors rely on the passive collection of information related to their target’s internal\r\nenvironment using public domain and reputational databases. This is achieved using open-source tooling such as\r\nSub-Drill and penst-tools[.]com.\r\nFor active scanning, the Aquatone tool is used to visually inspect websites and servers for attack opportunities.\r\nInitial Access\r\nTo gain initial access, the Conti group leverages techniques that include remote access services and compromised\r\nendpoints. The trickconti forum mentions various remote access services from Citrix, SonicWall, FortiGate and\r\nPulse Secure.\r\nTo circumvent multi-factor authentication on VPNs, operators will attempt to intercept MFA codes from\r\ncompromised email accounts or hijack browser sessions using tokens stolen from compromised endpoints.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 3 of 14\n\nFigure 5 Post from February 2021 discussing browser session hijacking.\r\nDiscovery\r\nOnce operators land on a compromised machine or access the network through VPN, their first step is to gain\r\nsituational awareness using tools such as AdFind or Windows command line utilities such as net or nltest. AdFind\r\nis referenced heavily throughout leaked procedure documentation and would appear to be the preferred tool as of\r\nearly 2021. As is a theme with other techniques, the tool is augmented through scripts to expedite data collection.\r\nFigure 6 Sample output from AdFind tool.\r\nCollected information includes active directory users, computers, Organizational Units (OUs), domain trusts and\r\nsubnets. The data is written to text files and used in downstream attacks or information gathering.\r\nThe Invoke-ShareFinder module from PowerView is also mentioned as a means to enumerate network shares.\r\nCredential Access and Privilege Escalation\r\nThe next step is to steal credentials and escalate their privileges to gain higher-level permissions into the system or\r\nnetwork. Multiple known techniques are mentioned to fulfill this objective:\r\nKerberoasting\r\nAS-REP Roasting\r\nDCSYNC\r\nGroup Policy Preferences\r\nPassword Spray via SMB Bruteforce tool\r\nPowerUpSQL\r\nNetlogon (CVE-2020-1472)\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 4 of 14\n\nKerberoast and AS-REP roast attacks are a known techniques for abusing weaknesses in Kerberos tickets to\r\nextract hashes for offline cracking. The Kerberos attacks are executed using either the Rubeus tool or Invoke-Kerberoast PowerShell module. Kerberoasting is mentioned several times in the procedure documents and is an\r\nearly intrusion step conducted through a VPN session using a compromised account or through a compromised\r\nworkstation using Cobalt Strike. Cracked keys can then facilitate privilege escalation activities.\r\nFigure 7 Instructions for executing a Kerberoast and AS-REP Roast attack using the Rubeus tool.\r\nPersistence \u0026 Command and Control\r\nOnce the threat actors have successfully escalated their privileges, the next priority is to maintain their foothold\r\ninto the environment and controlling compromised systems to look normal and avoid detection. The trickconti\r\nforum contains instructions for establishing persistence through a mix of backdoor malware, webshells and remote\r\naccess software. The most common tools mentioned in the guide include:\r\nAnchor Backdoor: A sophisticated backdoor believed to be developed by the Trickbot authors that uses\r\nthe DNS protocol for communication and is delivered through Trickbot installations. Anchor is believed to\r\nbe developed by the Trickbot authors.\r\nNgrok: A utility commonly abused to tunnel traffic between internal hosts and attackers. The guide\r\nprovides instructions for registering an account on http://ngrok.com and a script to automate deployment.\r\nThe script (Install_ngrok.ps1) automates downloading both Ngrok and Non-Sucking Service Manager\r\n(NSSM) to the target machine, installs Ngrok as a service and configures it to listen on port 3389 (RDP).\r\nThe utility is subsequently used to tunnel remote desktop traffic to the host from outside the\r\nnetwork/firewall boundary.\r\nTOR Backdoor: This is used in a similar fashion to Ngrok. Using a PowerShell script (BackdoorNew), a\r\nTOR (The Onion Router) client and OpenSSH are downloaded to the system and installed as services using\r\nNSSM. This configuration is presumably used to create an outbound connection over TOR from which the\r\noperator can tunnel into the host.\r\nExchange Webshell: The trickconti forum contains a detailed guide on deploying Exchange webshells for\r\npersistence. Their steps to plant a webshell in Exchange are as follows:\r\n1. Connect to the Exchange server.\r\n2. Identify public facing directories such as C$\\Program Files\\Microsoft\\Exchange\r\nServer\\V14\\ClientAccess\\owa\\auth and test access from the outside.\r\n3. Modify the webshell’s timestamp to match surrounding files.\r\n4. Retest the webshell connection from the outside.\r\nThe guide was posted February 5, 2021 and predates the disclosure of ProxyLogon Exchange\r\nvulnerabilities in March 2021. It does not indicate Exchange exploits were used and instead relied on stolen\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 5 of 14\n\ncredentials to connect to Exchange servers and deploy webshells. It’s likely this guide was updated at a\r\nlater point to incorporate the ProxyLogon exploit. A copy of the webshell can be found here.\r\nRemote Access Software (AnyDesk): AnyDesk Remote access software is among a known list of remote\r\naccess software abused by Conti operators to remotely access compromised systems. The trickconti forum\r\ncontains instructions for deploying AnyDesk to systems using a script: \r\nFigure 8 Snippet of AnyDesk installation script.\r\nIIS Patch Backdoor: This is mentioned, but not elaborated on.\r\nTargeting Administrators\r\nThis is a critical step, as not only do administrator accounts provide access to more sensitive systems, but their\r\nworkstations also contain a wealth of information about the organization’s IT infrastructure. This guide appears\r\nidentical to what was included in the leaked Conti playbook in August 2021.\r\nThe trickconti forum contains a page aptly called “Hunt Administrator” which describes in detail how to identify\r\nand rank administrative network users.\r\nFigure 9 Snippet of forum post titled \"Hunt Administrator\"\r\nInformation about administrators is obtained using output from the AdFind tool (executed as part of initial\r\nnetwork discovery) or using Windows utilities through a Cobalt Strike session. Example commands include:\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 6 of 14\n\nnet group “domain admins” /domain\r\nnet user potential_admin /domain\r\nThis data is then manually inspected and validated. Operators are instructed to look for indicators such as group\r\nmembership, department or job title. Results are validated by checking the account status/last logon time and\r\nLinkedIn if needed.\r\nFigure 10 Guidance on validating active administrator accounts.\r\nFigure 11 Sample output\r\nfrom net command included in the post for demonstration purposes.\r\nOnce administrator accounts are identified, PowerSploit’s Find-DomainUserLocation is used to identify systems\r\nwhere the account is logged in. The guide instructs operators to remotely extract files from admin workstations\r\nusing impersonation tokens and either the net Windows utility or Cobalt Strike’s file browser. It clearly warns the\r\noperator against deploying a Cobalt Strike beacon directly to the system to avoid raising alarms.\r\nStandard user directories such as OneDrive or Documents are reviewed for files of interest such as password lists.\r\nApplication folders (AppData\\Local and AppData\\Roaming) are checked for custom configurations. Browser\r\nhistory and login data from Chrome, Edge and Firefox are extracted for useful information such as the location of\r\nbackup and virtualization servers. Local Outlook data files are extracted for further analysis.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 7 of 14\n\nExfiltration\r\nThe next step is to exfiltrate the data from the organization’s network by packaging it using compression and\r\nencryption to avoid detection. In addition to using the TOR backdoor tool, the guide mentioned two other tools:\r\nFileZilla: Used by deploying a portable version to compromised hosts and exfiltrating data over SFTP\r\n(port 22). Additionally, FileZilla can be used to connect to the compromised host through an established\r\nTOR tunnel.\r\nRclone: A command line utility for backing up data to cloud services. Unfortunately, the tool has been co-opted by ransomware groups such as Conti for exfiltrating data to services such as Mega[.]nz. The\r\ntrickconti forum contains a procedure document for configuring the utility and using it to exfiltrate data\r\nfrom compromised systems. These instructions mirror closely what was revealed in the Conti Playbook\r\nleak from 2021.\r\nFigure 12 Rclone instructions.\r\nInhibit Recovery\r\nDestroying or encrypting backups is typically a late-stage action performed prior-to or during the encryption stage.\r\nDoing so inhibits recovery options for the victim organization, giving Conti the upper hand in negotiations.\r\nBackups can also be targeted for data theft. The trickconti forum mentions various backup solutions including:\r\nSynology Active Backup for Business\r\nStorageCraft ShadowProtect SPX\r\nVeeam\r\nIn general, operators are instructed to identify backup software from browsing history, running processes,\r\nauthentication logs, etc. Stolen credentials lists, such as hashes taken from NTDS, and account lists are checked\r\nfor possible backup service accounts containing common string identifiers for a given backup solution. Once\r\nobtained, credentials for backup accounts are used to access and modify backups to inhibit recovery. For more\r\ninformation, see https://www.advintel.io/post/backup-removal-solutions-from-conti-ransomware-with-love.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 8 of 14\n\nFigure\r\n13 Guidance on picking out account tied to backup services.\r\nThe forum also contained a post on recovering passwords from Veeam backup servers.\r\nFigure 14 Veeam password recovery steps.\r\nThis is a known technique documented as early as 2019 in Veeam’s forums and explained in detail here. It’s likely\r\nthis step is taken to obtain credentials not tied to active directory, such as other backups or infrastructure. A 2020\r\npost on Veeam’s forums by a victim of ransomware describes a similar scenario where non-AD credentials stored\r\nin Veeam were used to access secondary backup storage devices. Advice is given to operators to disable\r\nnotifications on backup servers to avoid detection:\r\nFigure 15 Disabling notifications on backup servers.\r\nFinally, the trickconti forum contains instructions for targeting virtualized infrastructure from VMware and\r\nMicrosoft. Once administrative access is achieved to virtualization platforms, snapshots and backups are\r\ndestroyed and servers are locked.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 9 of 14\n\nIn a May 2021 post, a user describes the process for accessing vSphere and identifying backups for virtual\r\nmachines by examining the license level and authentication logs from backup services:\r\nFigure 16 vSphere instructions.\r\nFigure 17 Additional guidance on encrypting backups tied to virtual machines.\r\nFigure 18 Hyper-V Instructions.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 10 of 14\n\nHow eSentire is Responding\r\nOur Threat Response Unit combines intelligence gleaned from research, security incidents, and the external threat\r\nlandscape to create actionable outcomes for our customers. We are taking a holistic response approach to combat\r\nmodern ransomware by deploying countermeasures across the ransomware attack cycle using:\r\nKnown-precursor malware\r\nLiving-off-the-Land techniques\r\nDiscovery techniques and domain reconnaissance (listing admins, domain trusts, etc.)\r\nOffensive security tools such as Cobalt Strike\r\nCredential access techniques (kerberoasting, ZeroLogon, Mimikatz)\r\nLate-stage TTPs (Credential extraction from DCs, PsExec/WMIC/BITS Admin code deployment)\r\nFinal stages (Volume Shadow Copy deletion, ransomware artifacts, archiving tools, data staging)\r\nOur detection content is backed by investigation runbooks, ensuring our SOC cyber analysts respond rapidly to\r\nany intrusion attempt tied to known ransomware tactics, techniques, and procedures. In addition, our Threat\r\nResponse Unit closely monitors the ransomware threat landscape and addresses capability gaps and conducts\r\nretroactive threat hunts to assess customer impact.\r\nRecommendations from eSentire’s Threat Response Unit (TRU)\r\nWhile the TTPs used by adversaries grow in sophistication, they lead to a limited set of choke points at which\r\ncritical business decisions must be made. Intercepting the various attack paths utilized by the modern threat actor\r\nrequires actively monitoring the threat landscape, developing, and deploying endpoint detection, and the ability to\r\ninvestigate logs \u0026 network data during active intrusions.\r\nWe recommend implementing the following controls, mapped to specific tactics leveraged by threat actors, to help\r\nsecure your organization against the most impactful techniques mentioned in the leaked Conti documents:\r\nInitial Access\r\nRequire multi-factor authentication (MFA) on all remote access, including VPN.\r\nMonitor remote access logs for unusual activity.\r\nProtect endpoints against compromise using AV and/or an Endpoint Detection Response (EDR) product.\r\nMonitor for discovery tools and commands on protected endpoints.\r\nPatch known vulnerabilities in software and operating systems.\r\nCredential Access \u0026 Privilege Escalation\r\nProtect against Kerberos attacks by:\r\nUsing AES Kerberos encryption over RC4 and use complex, lengthy passwords on service\r\naccounts.\r\nLimiting service accounts to minimal required privileges and privileged groups such as Domain\r\nAdministrators.\r\nMonitor for privileged account creation.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 11 of 14\n\nCompromise Administrators\r\nProtect administrator workstations from compromise using anti-malware and endpoint detection and\r\nresponse products.\r\nAvoid storing cleartext credentials in files.\r\nUse strong passwords for password managers and avoid saving them directly on the system.\r\nEnforce “least privilege” to limit access to the minimum required for the employee’s specific job function.\r\nExfiltrate Data\r\nEnsure EDR agents are deployed to key targets of ransomware actors including file shares, email servers\r\nand domain controllers.\r\nMonitor for data staging and exfiltration utilities such as 7zip, Rclone and FileZilla\r\nMonitor for software used to proxy or tunnel network traffic, including TOR clients (The Onion Router),\r\nNGROK and SSH clients (where not expected).\r\nInhibit Recovery\r\nImplement regular backups and store them offline.\r\nHarden administrative interfaces to backup services.\r\nIf you’re not currently engaged with a Managed Detection and Response provider, we highly recommend you\r\npartner with us for security services in order to disrupt threats before they impact your business.\r\nWant to learn more? Connect with an eSentire Security Specialist.\r\nTo learn how your organization can build cyber resilience and prevent business disruption with eSentire’s Next\r\nLevel MDR, connect with an eSentire Security Specialist now.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 12 of 14\n\nGET STARTED\r\nABOUT ESENTIRE’S THREAT RESPONSE UNIT (TRU)\r\nThe eSentire Threat Response Unit (TRU) is an industry-leading threat research team committed to helping your\r\norganization become more resilient. TRU is an elite team of threat hunters and researchers that supports our 24/7\r\nSecurity Operations Centers (SOCs), builds threat detection models across the eSentire XDR Cloud Platform, and\r\nworks as an extension of your security team to continuously improve our Managed Detection and Response\r\nservice. By providing complete visibility across your attack surface and performing global threat sweeps and\r\nproactive hypothesis-driven threat hunts augmented by original threat research, we are laser-focused on defending\r\nyour organization against known and unknown threats.\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 13 of 14\n\nSource: https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nhttps://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.esentire.com/blog/analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru" ], "report_names": [ "analysis-of-leaked-conti-intrusion-procedures-by-esentires-threat-response-unit-tru" ], "threat_actors": [ { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-10T02:00:04.746188Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "610a7295-3139-4f34-8cec-b3da40add480", "created_at": "2023-01-06T13:46:38.608142Z", "updated_at": "2026-04-10T02:00:03.03764Z", "deleted_at": null, "main_name": "Cobalt", "aliases": [ "Cobalt Group", "Cobalt Gang", "GOLD KINGSWOOD", "COBALT SPIDER", "G0080", "Mule Libra" ], "source_name": "MISPGALAXY:Cobalt", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434199, "ts_updated_at": 1775791463, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8e2671733f04578bef10c5231212d6c57e970859.pdf", "text": "https://archive.orkl.eu/8e2671733f04578bef10c5231212d6c57e970859.txt", "img": "https://archive.orkl.eu/8e2671733f04578bef10c5231212d6c57e970859.jpg" } }