# TryHackMe — Conti Ransomware Writeup
**Description**:
An Exchange server was compromised with ransomware. Use Splunk to investigate how the attackers compromised the server.
**Challenge Link** : https://tryhackme.com/room/contiransomwarehgh
##
### **Q1. Can you identify the location of the ransomware?**
To identify the location of the ransomware, we can use the following query:
```
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1 OR EventCode=10 OR EventCode=11 OR EventCode=7 OR EventCode=3
| table Image
| dedup Image
```
This query helps us find unusual process execution path. From the results, we observe that a `cmd.exe` process was launched from a suspicious location: `C:\Users\Administrator\Documents\cmd.exe`
This is unusual because `cmd.exe` is normally located in `C:\Windows\System32\`, indicating potential malicious activity.
### **Q2. What is the Sysmon event ID for the related file creation event?**
According to the Sysmon cheat sheet, the event ID for file creation is `11`.
### **Q3. Can you find the MD5 hash of the ransomware?**
To find the MD5 hash of the ransomware, we can use the following query:
```
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" "C:\\Users\\Administrator\\Documents\\cmd.exe"
| table Image Hashes
| dedup Hashes
```
This query filters Sysmon logs for the suspicious `cmd.exe` execution and displays the associated hash values.
### **Q4. What file was saved to multiple folder locations?**
We can apply the query shown in the image below. From the results, we observe that a suspicious `cmd.exe` process created `readme.txt` in multiple folder locations.
### **Q5. What was the command the attacker used to add a new user to the compromised system?**
We can apply the query shown in the image below to identify the command.
### **Q6. The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?**
To find the migrated process and the original process, we can use the following query:
```
index=* sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
```
From the results, we identified the following:
**Original process image**: `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe`
**Migrated process image**: `C:\Windows\System32\wbem\unsecapp.exe`
> Process migration means that an attacker injects code into another process. This technique helps evade detection and maintain persistence by hiding malicious activity inside legitimate system processes.
### **Q7. The attacker also retrieved the system hashes. What is the process image used for getting the system hashes?**
Using the same query from Question 6, we identified a process migration from `unsecapp.exe` to `lsass.exe`. `lsass.exe` is responsible for authenticating users either against the domain controller for domain accounts or the SAM table for local accounts. It also enforces the system's security policies and stores the authentication credentials in its memory in several formats, such as hashes, tickets, tokens, or even in plain text. This indicates that the attacker migrated into `lsass.exe` to access and extract credential data stored in memory.
### **Q8. What is the web shell the exploit deployed to the system?**
We can apply the query shown in the image below. From the results, we identified a suspicious file with an `.aspx` extension, which indicates a potential web shell uploaded to the system.
### **Q9. What is the command line that executed this web shell?**
We can apply the query shown in the image below to identify the command line used to execute the web shell.
### **Q10. What three CVEs did this exploit leverage? Provide the answer in ascending order?**
We used an online search to identify the CVEs and found an artical that listed them:
https://www.securin.io/articles/is-conti-ransomware-on-a-roll
##
Sign in with Wallet
Connect another wallet