In this walk through, we will be going through the Investigating Windows room from Tryhackme. In this room, a windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done. So, let’s get started.
Task 1 – Investigating Windows
Question 1 – Whats the version and year of the windows machine?
Windows Server 2016
Question 2 – Which user logged in last?
Get-LocalUser | Select Name, Lastlogon
Question 3 – Answer format: MM/DD/YYYY H:MM:SS AM/PM
03/02/2019 5:48:32 PM
Question 4 – What IP does the system connect to when it first starts?
Question 5 – What two accounts had administrative privileges (other than the Administrator user)?
net localgroup Administrators
Question 6 – Whats the name of the scheduled task that is malicious.
Clean file system
Question 7 – What file was the task trying to run daily?
Question 8 – What port did this file listen locally for?
Question 9 – When did Jenny last logon?
net user Jenny
Question 10 – At what date did the compromise take place?
Question 11 – At what time did Windows first assign special privileges to a new logon?
- Event Viewer -> Security -> Check for Audit Success with Account Domain NT Authority
03/02/2019 4:04:49 PM
Question 12 – What tool was used to get Windows passwords?
Question 13 – What was the attackers external control and command servers IP?
Question 14 – What was the extension name of the shell uploaded via the servers website?
Question 15 – What was the last port the attacker opened?
Question 16 – Check for DNS poisoning, what site was targeted?
Also Read: Tryhackme – Introductory Networking
So that was “Investigating Window” room for you. In this room, we have covered various windows investigative techniques and analysis of indicator of compromises in the machine. We played with Windows event viewer, some windows native commands and the DNS cache files to learn about malicious file and connections. On that note, i will take your leave, till then “Keep Investigating”.