In this post, we investigated the Conti ransomware that hit Microsoft Exchange via a series of vulnerabilities. We used lab material from TryHackMe Conti room.
Investigating a Ransomware Attack with Splunk
In this article, we get to play the role of a cybersecurity analyst and dive into the aftermath of a nasty Conti ransomware attack on a Microsoft Exchange server. The digital investigation involves using the powerful log analysis tool Splunk to piece together the attacker’s trail from start to finish.
The investigation kicks off with the broadest possible search, pulling in all the data Splunk has collected from the compromised server. This initial mountain of information is then cleverly filtered down. The key, as the presenter points out, is to focus on the most valuable log sources, especially Sysmon, which gives deep insights into what’s happening on the system.
The first big break comes when we start hunting for suspicious executable files. By sifting through the logs and looking at where programs were run from, a strange command executed from the administrator’s “Documents” folder sticks out like a sore thumb, a very unusual place for system commands to be running. A quick check of this file’s digital fingerprint (its MD5 hash) on VirusTotal confirms the suspicion: it’s the Conti ransomware.
With the main culprit identified, the investigation follows the trail of destruction. then we look for file creation events and quickly finds that the ransomware has been busy creating its signature “readme.txt” ransom notes all over the server.
Attackers try to create a backdoor for themselves. By searching for specific security event codes, we uncover the creation of a new user account named “security ninja.” A quick pivot back to the Sysmon logs reveals the exact commands the attacker used to not only create this user but also add them to the all-powerful administrators and remote desktop user groups, giving them full access.
A more advanced technique attackers use to hide their activity, called process migration. By looking for specific Sysmon events, the analyst uncovers that the attacker used PowerShell to inject their malicious code into other legitimate system processes, including the highly sensitive lsass.exe, which is where Windows stores user credentials. This is how the attackers likely stole system password hashes to further compromise the network.
The investigation then turns to how the attackers got in initially. The focus shifts to finding a “webshell”, a malicious script uploaded to a web server to gain remote control. By searching for files with the common .aspx extension, a single webshell is discovered. There is an alternative method using the web server’s own logs, looking for unusual POST requests that can also point to a webshell upload.
Finally, identifying the specific vulnerability (the CVE number) often requires external research on Google, the clues found within Splunk,like the use of PowerShell and the webshell on an Exchange server, strongly point towards a well-known exploit chain called “ProxyShell.”
Splunk Queries Used
Here is a list of all the search queries that were typed into the Splunk terminal during the investigation:
index=*
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" *.exe | table current_directory, CommandLine, Image, ImageHash, ParentCommandLine, ParentImage
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" *.exe | table current_directory, CommandLine, Image, ImageHash, ParentCommandLine, ParentImage | dedup current_directory
index=* sourcetype=Sysmon EventCode=11 | table Image, TargetFilename
index=* sourcetype="WinEventLog:Security" EventCode=4720
index=* sourcetype=Sysmon security ninja | table CommandLine, Image, ParentCommandLine
index=* sourcetype=Sysmon EventCode=8 | table SourceImage, TargetImage
index=* sourcetype=Sysmon *.aspx
index=* sourcetype="WinEventLog:Microsoft-Windows-IIS-W3SVC-*" Method=POST | table cs_uri_stem | dedup cs_uri_stem
index=* sourcetype=Sysmon CommandLine=*powershell*
index=* sourcetype=Sysmon powershell
TryHackMe Conti Ransomware Room Answers
Can you identify the location of the ransomware?
C:\Users\Administrator\Documents\cmd.exe
What is the Sysmon event ID for the related file creation event?
11
Can you find the MD5 hash of the ransomware?
290c7dfb01e50cea9e19da81a781af2c
What file was saved to multiple folder locations?
readme.txt
What was the command the attacker used to add a new user to the compromised system?
net user /add securityninja hardToHack123$
The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,C:\Windows\System32\wbem\unsecapp.exe
The attacker also retrieved the system hashes. What is the process image used for getting the system hashes?
C:\Windows\System32\lsass.exe
What is the web shell the exploit deployed to the system?
i3gfPctK1c2x.aspx
What is the command line that executed this web shell?
attrib.exe -r \\win-aoqkg2as2q7.bellybear.local\C$\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\i3gfPctK1c2x.aspx
What three CVEs did this exploit leverage?
CVE-2020-0796,CVE-2018-13374,CVE-2018-13379
