Conti (Splunk)

01. Can you identify the location of the ransomware?

Look for sysmon EventID 11. You can see cmd.exe is the Administrator's Documents location.

02. What is the Sysmon event ID for the related file creation event?

You already answered this question in question 01.

03. Can you find the MD5 hash of the ransomware?

You can use md5 keywords to view the hash of this cmd.exe.

04. What file was saved to multiple folder locations?

You can use TargetFilename fields for easily query this filename.

05. What was the command the attacker used to add a new user to the compromised system?

You already know net user command in windows to create user. In this search, you can use CommandLine field to query this username.

06. The attacker migrated the process for better persistence. What is the migrated process image (executable), and what is the original process image (executable) when the attacker got on the system?

This question ask you what is source image name and target image name. You can easily view using this query.

07. The attacker also retrieved the system hashes. What is the process image used for getting the system hashes?

The answer is C:\Windows\System32\lsass.exe

08. What is the web shell the exploit deployed to the system?

You need to view iis log.

09. What is the command line that executed this web shell?

You need to go back to sysmon logs.

10. What three CVEs did this exploit leverage?

Here is a useful link to answer this question - https://cybersecurityworks.com/blog/ransomware/is-conti-ransomware-on-a-roll.html