In this post, we will investigate a ransomware incident with a popular SIEM tool, Splunk. Splunk is a cybersecurity technology that provides a single, streamlined view of your data, insight into security activities, and operational capabilities so you can stay ahead of cyber threats. This enables organizations and security teams to detect, analyze, and respond to security threats in real time before they harm business operations.
We will look at an Exchange server that was compromised with Conti ransomware. We will use Splunk to analyze the logs and investigate how the attackers compromised the server. You can find the link to the TryHackMe room here.
First, let’s go over a few things.
Conti Ransomware
According to Wikipedia, The Conti malware, once deployed on a victim device, not only encrypts data on the device, but also spreads to other devices on the network, obfuscates its presence, and provides a remote attacker control over its actions on the objective. All versions of Microsoft Windows are known to be affected.
Conti was a ransomware variant used to attack more than 900 victims worldwide, including victims in approximately 47 states, the District of Columbia, Puerto Rico, and approximately 31 foreign countries. According to the FBI, in 2021, Conti ransomware was used to attack more critical infrastructure victims than any other ransomware variant. Read up more on this here
Challenge Scenario
Some employees from your company reported that they can’t log into Outlook. The Exchange system admin also reported that he can’t log in to the Exchange Admin Center. After initial triage, they discovered some weird readme files settled on the Exchange server. Below is a copy of the ransomware note
We are assigned to investigate this situation. we will answer the following questions below regarding the Conti ransomware incident.
Challenge Questions
Q. Can you identify the location of the ransomware?
We start by adding Splunk’s default index main to the search, where all the processed data is stored. Next, we change the time range to All time and then, submit the search. We can see there are 28,145 events.
We will start by using the SourceType Sysmon, add it to the search and identify what event codes are available under the field EventCode
Sysmon is a free tool used to monitor and log events on host machines. The tool was initially released for Windows hosts and in October 2021, an open-source Linux version of the tool was released. The tool is designed to extend the current logging capabilities in Windows and Linux to aid in understanding and detecting malicious/suspicious system activities by tracking code behaviour and network traffic. It is similar to Windows Event Logs but with further detail and granular control. With this view on the actions, defenders can better detect abnormal behaviour and abuses on a system.
For Windows, all of the events generated by Sysmon are saved in Microsoft-Windows-Sysmon/Operational EventLog and in the case of Linux under /var/log/syslog to accommodate security products that already collect and centralize logs from both operating systems. Check here for further information on Sysmon
Go to the EventCode field, and we can see multiple Event IDs, but one that is interesting is Event ID 11 (FileCreate), which is logged when a file is created or overwritten and can be useful to identify if any suspicious files were created.
We will use the search below to filter for this type of event:
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11
Looking at the Interesting fields, let us check the Image field. This is a Sysmon field that highlights the full path of an executable file that was executed. In simple terms, it tells us what executable program/application was executed and the specific location where the file is stored. If you want to identify the executable file associated with a process running on the system, you can find it in the Image field.
Looking at it we can see the cmd.exe executable is stored in a strange location.
Ans: C:\Users\Administrator\Documents\cmd.exe
Q. What is the Sysmon event ID for the related file creation event?
We already know the answer to this from the previous question.
Ans: 11
Q. Can you find the MD5 hash of the ransomware?
To identify this, add the image value of the executable cmd.exe to the search, then add MD5. We can also get the hash by adding the Hashes field with the wildcard * to the search; this will highlight all the hashes of the file. We can see a single event returned, and we can see the hashes.
We can use the hash of the file to verify if the executable is malicious or not. We can take any hash value for this; let’s use SHA256. We will head to VirusTotal and submit the values.
The executable file is indeed a ransomware and malicious.
Ans: 290c7dfb01e50cea9e19da81a781af2c
Q: What file was saved to multiple folder locations?
Still working with Sysmon Event ID 11 and the cmd.exe executable. We will find an interesting field called TargetFilename. Using the search below, we can identify the same filename being stored in multiple locations:
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" Image= C:\Users\Administrator\Documents\cmd.exe EventCode=11
| stats count by TargetFilename
Where
- stats: Provides statistics about an event or result of a search
- count: Provides the number of occurrences of an event
- Image: File path of the process that created the file
- TargetFilename: Name of the file that was created
Ans: readme.txt
Q: What was the command the attacker used to add a new user to the compromised system?
The net command is a useful Windows tool that allows you to perform many administrative tasks from the command line. It is used to manage and configure the operating system from the command line. To add users on a system via net command, you use.
net user username password /add
Using Sysmon, the field CommandLine could be used to filter for commands. The field highlights the command lines that are executed.
We will also include a wildcard for the CommandLine field value in the search query to find any commands that contain /add
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" CommandLine= */add* | stats count by CommandLine
Looking at the result, we can see that a new user securityninja was added to the compromised system:
Ans: net user /add securityninja hardToHack123$
Q: The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?
An executable stored on disk is called a program, and a program loaded into memory and running is called a process. When a process is started, it is given a unique number called process ID (PID) that identifies that process to the system. If you ever need to kill a process, for example, you can refer to it by its PID.
We can use Sysmon Event ID 8 Create Remote Thread, which detects when a process creates a thread in another process. This technique is used by malware to inject code and hide in other processes. The event indicates the source and target process. We will use the search query below to filter for event ID 8 and also identify the source and target processes.
index=main sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=8
| table SourceImage, TargetImage
Where
- table: Takes a result set and places the specific fields into a tabular view
- SourceImage: File path of the source process that created a thread in another process
- TargetImage: File path of the target process
Looking at the image above, we see that powershell.exe was launched and then migrated to unsecapp.exe.
Ans: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, C:\Windows\System32\wbem\unsecapp.exe
Q: The attacker also retrieved the system hashes. What is the process image used for getting the system hashes?
If we refer to the output from the search used in question 6 earlier above, we can see that a second process migration takes place between unsecapp.exe and lsass.exe:
The LSA (Local Security Authority) validates user information by checking the Security Accounts Manager (SAM) database located on the same computer. This process is commonly attacked by hackers and malware post-exploitation. It is targeted to dump password hashes stored in the SAM database or in the memory space of LSASS (domain, local usernames, and passwords are also stored in the memory space of LSASS) for lateral movement and privilege escalation.
Ans: C:\Windows\System32\lsass.exe
Q: What is the web shell the exploit deployed to the system?
Before we begin answering this, let’s go over a few terms
Internet Information Services (IIS), is a Microsoft web server that runs on the Windows operating system. As a core Windows product, IIS comes integrated with Windows Server and runs on Windows OS. It can host enterprise web applications, websites, and WCF services. It can be compared with the well-known Apache Web Server. While IIS is a proprietary system owned by Microsoft, Apache HTTP Server is an open-source system (Apache isn’t restricted to one operating system, but it is better suited to the Linux environment).
Web shells are a common way for attackers to gain the ability to run commands on a server and avoid detection by hiding in the “noise” of normal web traffic. Security breaches often include web shells to further attacker ends. A web shell is a file that will be parsed and executed as code by a web server, which sends the results back to the originator of the web request. They are written in web programming languages such as PHP, Java, Perl and others. They are designed to give their users a means of executing arbitrary commands on the web server. A malicious web shell is an illicit script which intentionally introduces a command injection vulnerability. The script will present a means by which an attacker can pass arguments in and have them executed on the target host. This can allow attackers to perform data modification, data exfiltration, installation of malware, and further reconnaissance of their environment by attackers.
IIS can be used to host, deploy, and manage web applications using technologies such as ASP.NET and PHP. A file with the ASPX file extension is an Active Server Page Extended file that’s designed for Microsoft’s ASP.NET framework. All web shells deployed in a Microsoft environment are all in aspx format.
To answer this question, we will change the SourceType from Sysmon to IIS events, since it collects events related to web pages. Next, we will filter IIS events for POST requests and common web shell file types (.php, .asp, .aspx, .jsp):
index=main sourcetype=iis cs_method=POST
| search *.php* OR *.asp* OR *.aspx* OR *.jsp*
Where cs_method: Highlights the action being taken by the client; examples include GET or POST
Under the cs_uri_stem field (this field specifies the URL used by the client, i.e the file being requested). We can see a suspicious-looking filename with the “.aspx” file extension:
Answer format: i3gfPctK1c2x.aspx
Q. What is the command line that executed this web shell?
We will change the SourceType back to Sysmon and filter for the .aspx web shell we identified in the previous question.
index=main i3gfPctK1c2x.aspx sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational
Under the CommandLine field, we can see the command used to execute the web shell
Answer: attrib.exe -r \\win-aoqkg2as2q7.bellybear.local\C$\Program Files\Microsoft\Exchange Server\V15\FrontEnd\HttpProxy\owa\auth\i3gfPctK1c2x.aspx
Q: What three CVEs did this exploit leverage?
This question is requesting three CVE (Common Vulnerabilities and Exposures) IDs associated with Conti Ransomware. First, the CVE is a catalogue of all published CVE Records, essentially a database of publicly disclosed vulnerabilities. The mission of the CVE Program is to identify, define, and catalogue publicly disclosed cybersecurity vulnerabilities. Using CVEs ensures that two or more parties can confidently refer to a CVE identifier (ID) when discussing or sharing information about a unique vulnerability. There is one CVE Record for each vulnerability on the CVE List. Vulnerabilities are first discovered and then reported to the CVE Program. A CVE ID is a unique alphanumeric identifier the CVE Program assigns. Each identifier references a specific vulnerability. CVE IDs have the following format:
CVE prefix + Year + Arbitrary Digits
After research and googling, the CVE IDs were found in this article
Ans: CVE-2020-0796, CVE-2018-13374, CVE-2018-13379
Summary
From our investigation, we can understand how the incident occurred. The threat actor first exploited several vulnerabilities in the MS exchange server to compromise the victim machine. They gained a foothold via PowerShell, then migrated into another process for persistence. They then launched a web shell and executed commands to retrieve the ransomware.
Mitigation Steps and Ways to Protect Systems from Ransomware
Defensive tactics that effectively prevent a successful Conti ransomware attack are similar to tactics used to prevent other malware, such as:
- Deploy and implement patches to fix exposed vulnerabilities that can be exploited.
- Develop hardened authentication architecture and implement secure access controls to prevent malware’s ability to retrieve sensitive resources.
- Detect suspicious web traffic, URL parameters, and suspicious URLs.
- Implement in-depth monitoring of webserver process creation.
- Monitor and detect abnormal LSASS process access and injection, child processes spawning from LSASS to detect LSASS memory theft.
- Utilizing user-awareness training to reduce security incidents from phishing-based attacks.
- Installing advanced endpoint detection and response products to enable timely identification and remediation of systems in the event of a breach.
Conclusion
In this article, we investigated a ransomware incident with the Splunk SIEM tool and offered solutions to mitigate such an attack. Conti-ransomware is one of the most prolific ransomware variants used in cyberattacks.