high_confidence
C0015
[C0015](https://attack.mitre.org/campaigns/C0015) was a ransomware intrusion during which the unidentified attackers used [Bazar](https://attack.mitre.org/software/S0534), [Cobalt Strike](https://attack.mitre.org/software/S0154), and [Conti](https://attack.mitre.org/software/S0575), along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated [Conti](https://attack.mitre.org/software/S0575) ransomware playbook based on the observed pattern of activity and operator errors.(Citation: DFIR Conti Bazar Nov 2021)
Start date
1 August 2021
End date
1 August 2021
Techniques
34
Attributed actors
Techniques (34)
collection3
T1039Data from Network Shared Drive
T1074.001Local Data Staging
T1005Data from Local System
command-and-control2
T1219.002Remote Desktop Software
T1105Ingress Tool Transfer
defense-impairment1
T1553.002Code Signing
discovery9
T1018Remote System Discovery
T1069.002Domain Groups
T1135Network Share Discovery
T1057Process Discovery
T1124System Time Discovery
T1069.001Local Groups
T1482Domain Trust Discovery
T1083File and Directory Discovery
T1016System Network Configuration Discovery
execution5
T1059.003Windows Command Shell
T1204.002Malicious File
T1047Windows Management Instrumentation
T1059.007JavaScript
T1059.005Visual Basic
exfiltration2
T1567.002Exfiltration to Cloud Storage
T1030Data Transfer Size Limits
impact1
T1486Data Encrypted for Impact
initial-access1
T1566.001Spearphishing Attachment
lateral-movement2
T1021.001Remote Desktop Protocol
T1570Lateral Tool Transfer
privilege-escalation1
T1055.001Dynamic-link Library Injection
resource-development2
T1588.002Tool
T1588.001Malware
stealth6
T1036Masquerading
T1027Obfuscated Files or Information
T1218.010Regsvr32
T1218.011Rundll32
T1218.005Mshta
T1055.001Dynamic-link Library Injection
Indicators of compromise
No IOCs linked to this campaign yet.