Researchers recently obtained a leaked playbook linked to Conti, the Ransomware-as-a-Service (RaaS) group. It has revealed a plethora of information about the threat actors that also contains the Cobalt Strike manual that was referenced while creating the playbook.
Researchers noted that the level of details included in the documentation could enable any low-skilled cybercriminal to perform cyberattacks.
The attackers use the Net command to list users and tools such as AdFind to identify users with Active Directory access, along with OSINT and LinkedIn to spot users with privileged access.
One of the main tools covered in the playbook is the threat emulation software Cobalt Strike. Additionally, other used tools are Armitage, SharpView, SharpChrome, and SeatBelt, among others.
The attackers also included details about exploiting the CVE-2020-1472 (Zerologon) vulnerability using Cobalt Strike.
This playbook is believed to have been reviewed and edited to make it simple to read for Russian-speaking users. Several open-source materials were referred to while compiling the document.
Who’s the leaker?
The alleged leaker goes by the moniker m1Geelka. These could be low-level partners of Conti.
Based on initial details from the leaker’s Telegram account, its team was not paid for the services and that the playbook leak was an act of vengeance.
But later, the partner stated that the documents were leaked to better understand Conti and not for revenge.
The leaked elements are only those components that could be identified by anti-virus and no private code elements were leaked.
The Conti playbook could be a crucial contribution to the security community as it offers a glance into the behaviors of these groups and the tools they tend to leverage while performing attacks. For researchers and security analysts, this is an opportunity to deploy the right logic in place to detect and mitigate such threats.