Room Banner

Conti

An Exchange server was compromised with ransomware. Use Splunk to investigate how the attackers compromised the server.

medium

45 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1SITREP

Some employees from your company reported that they can’t log into Outlook. The Exchange system admin also reported that he can’t log in to the Exchange Admin Center. After initial triage, they discovered some weird readme files settled on the Exchange server.  

Below is a copy of the ransomware note.


Warning: Do NOT attempt to visit and/or interact with any URLs displayed in the ransom note. 

Read the latest on the Conti ransomware here

Connect to OpenVPN or use the AttackBox to access the attached Splunk instance. 

Splunk Interface Credentials:

Usernamebellybear

Passwordpassword!!!

Splunk URL: http://MACHINE_IP:8000

Special thanks to Bohan Zhang for this challenge.

Answer the questions below
Start the attached virtual machine.

Below are the error messages that the Exchange admin and employees see when they try to access anything related to Exchange or Outlook.

Exchange Control Panel:

Outlook Web Access:


Task: You are assigned to investigate this situation. Use Splunk to answer the questions below regarding the Conti ransomware. 

Answer the questions below
Can you identify the location of the ransomware?

What is the Sysmon event ID for the related file creation event?

Can you find the MD5 hash of the ransomware?

What file was saved to multiple folder locations?

What was the command the attacker used to add a new user to the compromised system?

The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?

The attacker also retrieved the system hashes. What is the process image used for getting the system hashes?

What is the web shell the exploit deployed to the system?

What is the command line that executed this web shell?

What three CVEs did this exploit leverage? Provide the answer in ascending order.

Created by

User avatar
tryhackme
User avatar
krotovolb

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

9,668

Created

1317 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more