digraph {
label=<Conti CISA Alert
Conti ransomware flow based on CISA alert.
Author: Dr. Desiree Beck <dbeck@mitre.org>
Created: 2022-10-27 02:44:54.520000+00:00
Modified: 2024-01-24 15:57:06.067000+00:00>;
labelloc="t";
"attack-action--2a8b2d9c-c1cb-44e8-9c18-e146fdb28c3b" [label=<
Action: T1566.001 |
Name | Spearphishing Attachment |
Description | Malicious Microsoft Excel file is attached to a phishing email. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--2a8b2d9c-c1cb-44e8-9c18-e146fdb28c3b" -> "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" [label=asset]
"attack-action--2a8b2d9c-c1cb-44e8-9c18-e146fdb28c3b" -> "attack-asset--12823850-2efb-44c5-be26-ac34703683b8" [label=asset]
"attack-action--2a8b2d9c-c1cb-44e8-9c18-e146fdb28c3b" -> "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" [label=effect]
"attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" [label=<Asset: User of Patient Zero workstation |
Description | The user compromised by the spearfishing email. |
> shape=plaintext]
"attack-action--803b8f27-1c9b-4d83-b155-b443b69672f8" [label=<Action: T1204.002 |
Name | Malicious File |
Description | User of the Patient Zero Workstation clicks on malicious Excel file, compromising the workstation. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--803b8f27-1c9b-4d83-b155-b443b69672f8" -> "attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91" [label=effect]
"attack-action--08dfcf4a-96c4-487e-8531-3ddd7fbb6e70" [label=<Action: T1558.003 |
Name | Kerberoasting |
Description | Actors use Kerberos attacks to attempt to get the Admin hash to conduct brute force attacks. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--08dfcf4a-96c4-487e-8531-3ddd7fbb6e70" -> "attack-condition--223e9388-26aa-4cd7-88a3-bc192aa13622" [label=effect]
"attack-action--4c0e9ba3-e5ad-4215-8b41-6636f9ec90b2" [label=<Action |
Name | Lateral Movement |
Description | Lateral movement to 1 statutory and 6 voluntary hospitals |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--4c0e9ba3-e5ad-4215-8b41-6636f9ec90b2" -> "attack-condition--623bc1c8-fc38-4a2d-a3d0-d925f073af53" [label=effect]
"attack-action--fda03654-388a-45e1-b3c5-36a0593aec6d" [label=<Action: T1486 |
Name | Data Encrypted for Impact |
Description | Threat actors encrypt sensitive data by detonating Conti ransomware. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--fda03654-388a-45e1-b3c5-36a0593aec6d" -> "attack-asset--bce29a7e-123b-4e98-a7ae-f3590236d856" [label=asset]
"attack-asset--6c3bf979-882d-49ad-8cb5-43a59f42d32e" [label=<Asset: Exfiltrated Data |
Description | Data exfiltrated by threat actor. |
> shape=plaintext]
"attack-action--8956f5e4-bfaf-4709-83fa-309275967a30" [label=<Action |
Name | Exfiltration |
Description | Threat actors often use the open-source Rclone command line program for data exfiltration, such as Rclone. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--8956f5e4-bfaf-4709-83fa-309275967a30" -> "attack-asset--6c3bf979-882d-49ad-8cb5-43a59f42d32e" [label=asset]
"attack-asset--bce29a7e-123b-4e98-a7ae-f3590236d856" [label=<Asset: Encrypted Data |
Description | Data encrypted by Conti ransomware. |
> shape=plaintext]
"attack-condition--f8f14cd5-8cb3-41eb-a7de-d13c92afd312" [label=<Condition |
Description | User of Patient Zero workstation is compromised |
> shape=plaintext]
"attack-condition--f8f14cd5-8cb3-41eb-a7de-d13c92afd312" -> "attack-action--803b8f27-1c9b-4d83-b155-b443b69672f8" [label=on_true]
"attack-condition--f8f14cd5-8cb3-41eb-a7de-d13c92afd312" -> "attack-action--8c673d05-35b9-4563-a19c-612225ba58f2" [label=on_true]
"attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca" [label=<Condition |
Description | Patient Zero workstation is compromised |
> shape=plaintext]
"attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca" -> "attack-action--11575ef5-332b-4719-9283-ad0988becfef" [label=on_true]
"attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca" -> "attack-action--08dfcf4a-96c4-487e-8531-3ddd7fbb6e70" [label=on_true]
"attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca" -> "attack-action--e972b38b-5e0c-43f6-a578-f904dab23a64" [label=on_true]
"attack-action--57dca417-5fce-4cb6-9392-c23d24ba8c83" [label=<Action: T1608.006 |
Name | Fake Software |
Description | Fake software promoted via search engine optimization |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--57dca417-5fce-4cb6-9392-c23d24ba8c83" -> "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" [label=asset]
"attack-action--57dca417-5fce-4cb6-9392-c23d24ba8c83" -> "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" [label=effect]
"attack-action--0cf0c85b-c2e5-4dfd-9a92-547357784bd1" [label=<Action: T1598.004 |
Name | Social Engineering |
Description | Actors may get user information via phone calls |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--0cf0c85b-c2e5-4dfd-9a92-547357784bd1" -> "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" [label=asset]
"attack-action--0cf0c85b-c2e5-4dfd-9a92-547357784bd1" -> "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" [label=effect]
"attack-action--e51a777f-14ba-4aac-8e6d-d95b93389173" [label=<Action: T1566.002 |
Name | Spearphishing Link |
Description | Malicious Microsoft Excel file is attached to a phishing email. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--e51a777f-14ba-4aac-8e6d-d95b93389173" -> "attack-asset--14a9c069-abae-41d2-8615-8ca20ba0ca68" [label=asset]
"attack-action--e51a777f-14ba-4aac-8e6d-d95b93389173" -> "attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" [label=effect]
"attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" [label=OR fillcolor="#ff9900" shape=circle style=filled]
"attack-operator--7686e85f-53e7-4e22-b799-cd068137d4c8" -> "attack-condition--f8f14cd5-8cb3-41eb-a7de-d13c92afd312" [label=effect]
"attack-asset--12823850-2efb-44c5-be26-ac34703683b8" [label=<Asset: Microsoft Office document |
Description | The document is a downloader-dropper. Examples include Cobalt Strike, IcedID, and TrickBot. |
> shape=plaintext]
"attack-action--8c673d05-35b9-4563-a19c-612225ba58f2" [label=<Action: T1078 |
Name | Valid Accounts |
Description | User reveals credentials |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--8c673d05-35b9-4563-a19c-612225ba58f2" -> "attack-asset--b25c46f7-e302-4bcc-a75f-7b97913dedeb" [label=asset]
"attack-action--8c673d05-35b9-4563-a19c-612225ba58f2" -> "attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91" [label=effect]
"attack-asset--b25c46f7-e302-4bcc-a75f-7b97913dedeb" [label=<Asset: User credentials |
Description | User credentials for a valid account |
> shape=plaintext]
"attack-action--7a4205e1-043e-4c6d-8a9f-89f9a3a8ec83" [label=<Action: T1076 |
Name | Remote Desktop Protocol |
Description | Stolen or weak Remote Desktop Protocol (RDP) credentials |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--7a4205e1-043e-4c6d-8a9f-89f9a3a8ec83" -> "attack-asset--ad245cbc-08a4-4a73-a0fd-cd49205b5721" [label=asset]
"attack-action--7a4205e1-043e-4c6d-8a9f-89f9a3a8ec83" -> "attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91" [label=effect]
"attack-asset--ad245cbc-08a4-4a73-a0fd-cd49205b5721" [label=<Asset: RDP account |
Description | Compromised RDP account |
> shape=plaintext]
"attack-action--11575ef5-332b-4719-9283-ad0988becfef" [label=<Action: T1057 |
Name | Process Discovery |
Description | Actors run a getuid payload before using a more aggressive payload to reduce the risk of triggering antivirus engines. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--11575ef5-332b-4719-9283-ad0988becfef" -> "attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b" [label=effect]
"attack-action--e972b38b-5e0c-43f6-a578-f904dab23a64" [label=<Action: T1110 |
Name | Brute Force |
Description | Use Router Scan, a penetration testing tool, to maliciously scan for and brute force [T1110] routers, cameras, and network-attached storage devices with web interfaces. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--e972b38b-5e0c-43f6-a578-f904dab23a64" -> "attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b" [label=effect]
"attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91" [label=OR fillcolor="#ff9900" shape=circle style=filled]
"attack-operator--ee2f9478-ca65-4b3c-9c77-77cd2a277a91" -> "attack-condition--a32b0dae-0b41-472b-9c23-fd234955beca" [label=effect]
"attack-condition--060bac6c-30cd-4cef-93e2-04c1939f3fc2" [label=<Condition |
Description | HSE Server is compromised |
> shape=plaintext]
"attack-condition--060bac6c-30cd-4cef-93e2-04c1939f3fc2" -> "attack-action--2a78a7b6-4cf3-4a8e-9856-e34935a18dbd" [label=on_true]
"attack-condition--060bac6c-30cd-4cef-93e2-04c1939f3fc2" -> "attack-action--9955f520-81f0-4826-a04f-e29c222cf214" [label=on_true]
"attack-condition--060bac6c-30cd-4cef-93e2-04c1939f3fc2" -> "attack-action--21b2ccee-d3ed-4866-b931-87c37f98dc93" [label=on_true]
"attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b" [label=OR fillcolor="#ff9900" shape=circle style=filled]
"attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b" -> "attack-condition--060bac6c-30cd-4cef-93e2-04c1939f3fc2" [label=effect]
"attack-action--51d84486-8f49-40aa-a3ef-65ab544dff0f" [label=<Action: T1110 |
Name | Brute Force |
Description | Actors get the Admin hash to conduct brute force attacks. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--51d84486-8f49-40aa-a3ef-65ab544dff0f" -> "attack-operator--ad5f81ee-b495-4efb-b6f9-d62fe07cfe0b" [label=effect]
"attack-action--2a78a7b6-4cf3-4a8e-9856-e34935a18dbd" [label=<Action |
Name | Persistence |
Description | Threat actors exploit legitimate software to maintain persistence. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--2a78a7b6-4cf3-4a8e-9856-e34935a18dbd" -> "attack-asset--68bf90ee-2a96-48e3-8acc-cb3068e20db0" [label=asset]
"attack-asset--68bf90ee-2a96-48e3-8acc-cb3068e20db0" [label=<Asset: Software |
Description | Remote desktop software or remote monitoring and management software. |
> shape=plaintext]
"attack-action--9955f520-81f0-4826-a04f-e29c222cf214" [label=<Action |
Name | Privilege Escalation |
Description | Threat actors use tools already on the victim network to obtain users' hashes and clear-text credentials |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--9955f520-81f0-4826-a04f-e29c222cf214" -> "attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4" [label=effect]
"attack-action--21b2ccee-d3ed-4866-b931-87c37f98dc93" [label=<Action: T1203 |
Name | Exploitation for Client Execution |
Description | Threat actors exploit vulnerabilities in unpatched assets to escalate privileges and move laterally. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--21b2ccee-d3ed-4866-b931-87c37f98dc93" -> "attack-condition--759ddb9f-c0a6-4fa4-bc83-f20a4ae8ea35" [label=effect]
"attack-condition--759ddb9f-c0a6-4fa4-bc83-f20a4ae8ea35" [label=<Condition |
Description | Network Asset A is compromised |
> shape=plaintext]
"attack-condition--759ddb9f-c0a6-4fa4-bc83-f20a4ae8ea35" -> "attack-action--c3c4d3ba-ee40-437d-92a7-224bdb5cfaa0" [label=on_true]
"attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4" [label=<Condition |
Description | Network Asset B is compromised |
> shape=plaintext]
"attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4" -> "attack-action--fda03654-388a-45e1-b3c5-36a0593aec6d" [label=on_true]
"attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4" -> "attack-action--8956f5e4-bfaf-4709-83fa-309275967a30" [label=on_true]
"attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4" -> "attack-action--4c0e9ba3-e5ad-4215-8b41-6636f9ec90b2" [label=on_true]
"attack-condition--623bc1c8-fc38-4a2d-a3d0-d925f073af53" [label=<Condition |
Description | Network Asset C is compromised |
> shape=plaintext]
"attack-condition--223e9388-26aa-4cd7-88a3-bc192aa13622" [label=<Condition |
Description | Admin hash is compromised |
> shape=plaintext]
"attack-condition--223e9388-26aa-4cd7-88a3-bc192aa13622" -> "attack-action--51d84486-8f49-40aa-a3ef-65ab544dff0f" [label=on_true]
"attack-action--c3c4d3ba-ee40-437d-92a7-224bdb5cfaa0" [label=<Action |
Name | Privilege Escalation |
Description | Threat actors exploit vulnerabilities in unpatched asset to escalate privileges. |
Confidence | Very Probable |
> shape=plaintext]
"attack-action--c3c4d3ba-ee40-437d-92a7-224bdb5cfaa0" -> "attack-condition--1a4cb2c8-008f-4bec-8659-6a4cccb638b4" [label=effect]
}