Skip to main content
HashnodeNickson-CTF

Command Palette

Search for a command to run...

Conti | splunk exercise.

Updated
4 min read
N
nickson diaz
Part of seriesCTF

Some employees from your company reported that they can’t log into Outlook. The Exchange system admin also reported that he can’t log in to the Exchange Admin Center. After initial triage, they discovered some weird readme files settled on the Exchange server.  

Below is a copy of the ransomware note.

Warning: Do NOT attempt to visit and/or interact with any URLs displayed in the ransom note.

Read the latest on the Conti ransomware here(opens in new tab).

IOC and Hours 12:52:09.000 PM

Answers:

Can you identify the location of the ransomware?

C:\Users\Administrator\Documents\cmd.exe Hour
9/8/21
1:05:32.000 PM

Question 1

What is the Sysmon event ID for the related file creation event? 11

Resolve: File create operations are logged when a file is created or overwritten. This event is useful for monitoring autostart locations, like the Startup folder, as well as temporary and download directories, which are common places malware drops during initial infection.

url:https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=90011

Question 2

Can you find the MD5 hash of the ransomware?

SHA256: 53b1c1b2f41a7fc300e97d036e57539453ff82001dd3f6abf07f4896b1f9ca22 MD5: 290C7DFB01E50CEA9E19DA81A781AF2C

Question 3

What file was saved to multiple folder locations? Answer: Readme.txt

Resolve: Knowing that the attacker compromised the location c:\\Users\\Administrator\\Documents\\cmd.exe and we are using sysmon for logs, we can filter in splunk for the ID for "CreatedFile" because in fact a copied file in other location is create a new file. Searching we identificated that ID as the number 1.

Finally using this query * sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" "eventcode=11" Image="c:\\Users\\Administrator\\Documents\\cmd.exe", we can filter for the "TargetFilename" (thats the file that was written on the disk) and we can see that the readme.txt was created in almost 18 different directories.

Question 4

What was the command the attacker used to add a new user to the compromised system? Answer: net user /add securityninja hardToHack123$

Resolve:

To get this information you need to know about process ID 1 on sysmon concept and also about net user command:

Here some definitions"

sysmon #event1 : The process creation event provides extended information about a newly created process. The full command line provides context on the process execution. The ProcessGUID field is a unique value for this process across a domain to make event correlation easier. The hash is a full hash of the file with the algorithms in the HashType field.

[[Net user]]

The net user command allows you to add, modify, or delete user accounts, and display detailed information about user accounts on a local computer or domain.

After get the concept that what is happening right now you only need to research using this query on splunk

  • sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" "eventcode=1" net user

If you go to analyze one of them, there you can more information about what user was created.

Here you can get the specific log that show you the answer.

Question 5

The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe,C:\Windows\System32\wbem\unsecapp.exe

Reason: In Sysmon Log events exists one ID for this situation: Sysmon Event ID 8: CreateRemoteThread detects when a process creates a thread in another process, a key technique used for code injection. When we filter for this eventcode we see that powershell is used to migrate the process ID related to 5016. Searching for this process we se that is related to the "cmd.exe" located on the C:\Users\Administrator\Documents\ directory.

\So looking for the renamed file we get the name C:\\Windows\\System32\\wbem\\unsecapp.exe

Question 6

The attacker also retrieved the system hashes. What is the process image used for getting the system hashes?

Answer: C:\Windows\System32\lsass.exe

This is an easy answer cause tools like mimikatz and procdump utilize this process to avoid defense and detection so as you can see below:

To get the answer you need to keep analyzing the same logs using this query.

  • sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" "eventcode=8"

Question 7

What is the web shell the exploit deployed to the system?

Answer: i3gfPctK1c2x.aspx

What is the command line that executed this web shell?

attrib.exe  -r \\\\win-aoqkg2as2q7.bellybear.local\C$\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\i3gfPctK1c2x.aspx

Comments

Join the discussion

No comments yet. Be the first to comment.

CTF

Part 18 of 19

CTF blog series covering challenges from Hack The Box, TryHackMe, LetsDefend, and Blue Team Labs Online. Sharing walkthroughs, tools, attack techniques, defensive strategies, and key lessons learned.

Up next

Century | UnderTheWire

Level 1 Challenge Prompt Level 1 • Century The password for Century2 is the build version of the instance of PowerShell installed on this system. PS C:\users\century1\desktop> Get-WmiObject -Class win

More from this blog

Nickson-CTF

20 posts