Investigating Windows

Password: letmein123!

So first question when u arrived to the scene is

What’s the version and year of the windows machine?

Easy? I know .But should be solved.

Click start icon on down-left and then type setting>System>About

Here u’ll find a full-detailed information about the system.

Or the easy way. Press windows icon then type pc. Right click and choose properties. It is the same

Which user logged in last?

Now we are getting excited, let’s look at the ‘Users’ file

So apparently the answer is ‘Administrator’

When did John log onto the system last?

What who is John. Must be a deleted-user, Running

will show u the user

Then using findstr command will tell us the last-logon date

What IP does the system connect to when it first starts?

The answer is at registry files. But how can we get there?

Type ‘Regedit’ at the run bar and the registry editor will pop up, searching for what can help up

U’ll find the flag here: HKEY_LOCAL_MACHINE>software>microsoft>WindowscurrentVersion>run

And the IP address is

What two accounts had administrative privileges (other than the Administrator user)?

To find users with their rules shown .U can search ‘’ .which is local user manager

After clicking group then administrators, u’ll know who is the admin user other than the administrator (guest and jenny)

What’s the name of the scheduled task that is malicious.

Scheduled task? Well there is no better place to search from other than task scheduler

Clean file system look malicious enough for me.

What file was the task trying to run daily?

Getting around task scheduler u’ll find this

Nc.ps1 is a file that tasked to run daily at port 1348

When did Jenny last logon?

As simple as that

At what date did the compromise take place?

By reviewing task scheduler u will notice a GamoOver task .Reviewing the file u can see it sends passwords. So it is the malicious files for the compromise. Noticing the date which is 03/02/2019 .The answer is correct

What tool was used to get Windows passwords?

From the GameOver task details u’ll find mimikatz.

At what time did Windows first assign special privileges to a new logon?

Answer format: MM/DD/YYYY HH:MM:SS AM/PM

Event viewer will help us a lot at this point.

Right-click at windows icon and type “Event viewer”

Searching around to review logs … the answer is 03/02/2019 4:04:49 PM

What was the attackers external control and command servers IP?

Information like this are stored at c /windows/system32/drivers/etc/hosts

. Opening that file with Notepad will through this

Why there are two different IP assigned to Does the attacker uses DNS poisoning? Let’s try to submit one IP of them to THM and see.

Well .Don’t normalize any suspicious thing.

What was the extension name of the shell uploaded via the server’s website?

We need to browse the file created by the malicious shell , opening c directory and noticing the time creation for each file .u’ll notice ‘inetpub’ file which is created exactly at the day of the compromise took place . Searching the file and opening the files at Notepad. There are interesting codes here … we have catch the rat!

What was the last port the attacker opened?

Using the Hint! It tells u ‘firewalls’ and nothing else … what a helpful advice!

Let’s open firewalls and review the inbound connections

Notice that port 1337 is opened for developer. Weird.

Check for DNS poisoning, what site was targeted?

As we have seen hosts file. Google is the targeted website