Tryhackme - Investigating Windows

Tryhackme – Investigating Windows

In this walk through, we will be going through the Investigating Windows room from Tryhackme. In this room, a windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done. So, let’s get started.

Investigating Windows

Task 1 – Investigating Windows

Question 1 – Whats the version and year of the windows machine?

systeminfo

systeminfo

Windows Server 2016

Question 2 – Which user logged in last?

Get-LocalUser | Select Name, Lastlogon
Get-LocalUser | Select Name, Lastlogon
Administrator

Question 3 – Answer format: MM/DD/YYYY H:MM:SS AM/PM

03/02/2019 5:48:32 PM

Question 4 – What IP does the system connect to when it first starts?

PsExec
 10.32.3.1

Question 5 – What two accounts had administrative privileges (other than the Administrator user)?

net localgroup Administrators

net localgroup Administrators
Jenny, Guest

Question 6 – Whats the name of the scheduled task that is malicious.

malicious scheduled tasks

Clean file system

Question 7 – What file was the task trying to run daily?

nc.ps1

nc.ps1

Question 8 – What port did this file listen locally for?

1348

Question 9 – When did Jenny last logon?

net user Jenny

net user Jenny

Never

Question 10 – At what date did the compromise take place?

03/02/2019

Question 11 – At what time did Windows first assign special privileges to a new logon?

  • Event Viewer -> Security -> Check for Audit Success with Account Domain NT Authority

Check for Audit Success with Account Domain NT Authority

03/02/2019 4:04:49 PM

Question 12 – What tool was used to get Windows passwords?

Event Viewer

Mimikatz

Mimikatz

Question 13 – What was the attackers external control and command servers IP?

C:\Windows\System32\drivers\etc

C2 server IP address

76.32.97.132

Question 14 – What was the extension name of the shell uploaded via the servers website?

C:\inetpub\wwwroot

extension name of the shell uploaded

.jsp

Question 15 – What was the last port the attacker opened?

Firewall rules

1337

Question 16 – Check for DNS poisoning, what site was targeted?

Check for DNS poisoning

google.com

Task 1 - Investigating Windows

Task 1 - Investigating Windows 2

Also Read: Tryhackme – Introductory Networking

So that was “Investigating Window” room for you. In this room, we have covered various windows investigative techniques and analysis of indicator of compromises in the machine. We played with Windows event viewer, some windows native commands and the DNS cache files to learn about malicious file and connections. On that note, i will take your leave, till then “Keep Investigating”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top