Using Splunk with Sysmon & IIS logs to track Conti Ransomware. A practice tabletop exercise for learning to better utilize Splunk.
This challenge originally comes from tryhackme and is an exercise is finding evidence of an attackers' movement within Sysmon & Windows server logs.
This writeup/tabletop is an attempt to further understand splunk searching & the IOCs of Conti.
- employees begin experiencing issues logging into Microsoft Outlook.
- exchange system admin cannot log into exchange admin center
- readme file found on exchange server - common conti ransomware message about encrypted data
The first step in this exercise is to locate the malware within the system. This exercise assumes the attacker already has initial access. Using the sysmon reference guide, we see that Event ID 11 is used for the creation of files. I will search using EventCode=11 and look under the Image category for any standout files. cmd.exe has been created in /Documents which stands out as abnormal.
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
We can verify the maliciousness of this file by getting the md5 hash. I will specify the cmd.exe Image from above and search md5 to grab the hash. Heading over to virustotal, we can search using the hash and see that this file is indeed malicious and has been categorized as conti ransomware by various security vendors.
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image="C:\Users\Administrator\Documents\cmd.exe" md5
Ransomware usually comes with some form of ransom note. I will use the same search as above minus the md5 addition and look under the TargetFilename field. We can see the readme.txt's that have been created.
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image="C:\Users\Administrator\Documents\cmd.exe"
Knowing how to add/edit users on Windows can be helpful in finding other IOC's. By searching the CommandLine field for keywords like "net", "user" & "/add" we can quickly find that the attacker added a new user.
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine="/add"
Referencing the sysmon guide again, we find that Event ID 8 CreateRemoteThread event detects when a process creates a thread in another process. It states that this technique is used by malware to inject code and hide other processes. Searching using this EventCode and further, looking at the SourceImage category, allows us to see that attacker migrated to powershell for better persistence.
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
Using the same search as above but looking under the TargetImage category, we can see that the lsass.exe was used to dump the system hashes.
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
In this exercise we also have access to IIS (Windows Server) logs. IIS or Internet Information Services logs can provide us with crucial IOC's especially if the attacker used a web shell to gain access to the system. reference We can search these logs for http POST method and for common web shell file types like php, asp, aspx, py, prl, rb.
index=main sourcetype=iis cs_method=POST | search .php OR .asp OR .aspx OR .jsp OR .prl OR .py OR .rb
Finally, heading back to our sysmon logs, let's see if we can track down how this shell was executed. We can achieve this by searching for the .aspx file we previously found and checking out the CommandLine field.
index=main i3gfPctK1c2x.aspx sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational"
references