Investigating Windows
Password: letmein123!
So first question when u arrived to the scene is
What’s the version and year of the windows machine?
Easy? I know .But should be solved.
Click start icon on down-left and then type setting>System>About
Here u’ll find a full-detailed information about the system.
Or the easy way. Press windows icon then type pc. Right click and choose properties. It is the same
Which user logged in last?
Now we are getting excited, let’s look at the ‘Users’ file
So apparently the answer is ‘Administrator’
When did John log onto the system last?
What who is John. Must be a deleted-user, Running
will show u the user
Then using findstr command will tell us the last-logon date
What IP does the system connect to when it first starts?
The answer is at registry files. But how can we get there?
Type ‘Regedit’ at the run bar and the registry editor will pop up, searching for what can help up
U’ll find the flag here: HKEY_LOCAL_MACHINE>software>microsoft>WindowscurrentVersion>run
And the IP address is 10.34.2.3
What two accounts had administrative privileges (other than the Administrator user)?
To find users with their rules shown .U can search ‘lusrmgr.ms’ .which is local user manager
After clicking group then administrators, u’ll know who is the admin user other than the administrator (guest and jenny)
What’s the name of the scheduled task that is malicious.
Scheduled task? Well there is no better place to search from other than task scheduler
Clean file system look malicious enough for me.
What file was the task trying to run daily?
Getting around task scheduler u’ll find this
Nc.ps1 is a file that tasked to run daily at port 1348
When did Jenny last logon?
As simple as that
At what date did the compromise take place?
By reviewing task scheduler u will notice a GamoOver task .Reviewing the file u can see it sends passwords. So it is the malicious files for the compromise. Noticing the date which is 03/02/2019 .The answer is correct
What tool was used to get Windows passwords?
From the GameOver task details u’ll find mimikatz.
At what time did Windows first assign special privileges to a new logon?
Answer format: MM/DD/YYYY HH:MM:SS AM/PM
Event viewer will help us a lot at this point.
Right-click at windows icon and type “Event viewer”
Searching around to review logs … the answer is 03/02/2019 4:04:49 PM
What was the attackers external control and command servers IP?
Information like this are stored at c /windows/system32/drivers/etc/hosts
. Opening that file with Notepad will through this
Why there are two different IP assigned to google.com? Does the attacker uses DNS poisoning? Let’s try to submit one IP of them to THM and see.
Well .Don’t normalize any suspicious thing.
What was the extension name of the shell uploaded via the server’s website?
We need to browse the file created by the malicious shell , opening c directory and noticing the time creation for each file .u’ll notice ‘inetpub’ file which is created exactly at the day of the compromise took place . Searching the file and opening the files at Notepad. There are interesting codes here … we have catch the rat!
What was the last port the attacker opened?
Using the Hint! It tells u ‘firewalls’ and nothing else … what a helpful advice!
Let’s open firewalls and review the inbound connections
Notice that port 1337 is opened for developer. Weird.
Check for DNS poisoning, what site was targeted?
As we have seen hosts file. Google is the targeted website