An Exchange server was compromised with ransomware. Use Splunk to investigate how the attackers compromised the server.
Login to the Splunk server with the credentials provided by THM.
Can you identify the location of the ransomware?
Use the WinEventLog as the sourcetype to find out all sysmon activities.
Find the Event ID that represents a file creation
A suspicious executable file can be found in the documents folder.
What is the Sysmon event ID for the related file creation event?
Refer to the question above.
Can you find the MD5 hash of the ransomware?
Filter out the file for the MD5 hash.
What file was saved to multiple folder locations?
To find the multiple locations use the stats count by argument.
What was the command the attacker used to add a new user to the compromised system?
To create a new user the net user /add command is used. Filter this command out.
The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?
Search for Event ID 8.
The attacker also retrieved the system hashes. What is the process image used for getting the system hashes?
Refer to the question above.
What is the web shell the exploit deployed to the system?
Use sourcetype iis that contains internet information services. Add the various known webshell parameters to the search.
A suspicious webshell can be seen.
What is the command line that executed this web shell?
Use the sysmon sourcetype and add the suspicious webshell to filter out the command line instruction.
What three CVEs did this exploit leverage?
Persecure : my learning archive 