In this post, we investigated the Conti ransomware that hit Microsoft Exchange via a series of vulnerabilities. We used lab material from TryHackMe Conti room.

Microsoft exchange server was vulnerable to CVE-2020-0796, CVE-2018-13374 and CVE-2018-13379 which made it open for other sorts of attacks such as the one discussed in this post, the Conti Ransomware attack on Microsoft Exchange.

The ransomware was delivered through exploiting the above mentioned vulnerabilities and gaining a reverse shell through Powershell. The attackers then migrated to other processes to establish persistence and uplodaed a webshell through which they were able to download the Conti ransomware and encrypt files on workstations.

You can check a full detailed post here

Get Splunk Field Notes

Task Answers

Can you identify the location of the ransomware?
What is the Sysmon event ID for the related file creation event?

Can you find the MD5 hash of the ransomware?

What file was saved to multiple folder locations?

What was the command the attacker used to add a new user to the compromised system?

net user /add securityninja hardToHack123$
The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?

The attacker also retrieved the system hashes. What is the process image used for getting the system hashes?

What is the web shell the exploit deployed to the system?

What is the command line that executed this web shell?

attrib.exe -r \\win-aoqkg2as2q7.bellybear.local\C$\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\i3gfPctK1c2x.aspx
What three CVEs did this exploit leverage?


Video Walk-Through

About the Author

I create cybersecurity notes, digital marketing notes and online courses. I also provide digital marketing consulting including but not limited to SEO, Google & Meta ads and CRM administration.

View Articles