Investigating Windows
Last updated
Last updated
This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.
Connect to the machine using RDP. The credentials the machine are as follows:
Username: Administrator Password: letmein123!
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
1) Whats the version and year of the windows machine?
There are multiple approaches to solving this question. Let's examine them.
Access the command prompt and run the winver
command.
Or using msinfo32
command
Or through powershell execute Get-ComputerInfo -Property "os*"
Answer: Windows Server 2016
2) Which user logged in last?
To identify the last user who logged in on a Windows machine, access Event Viewer, locate Security Logs, filter for EventID 4624, and review the most recent logon event.
The answer can be obtained also using the Get-WinEvent
PowerShell cmdlet.
Answer: Administrator
3) When did John log onto the system last?
I reviewed the Security Logs in Event Viewer, filtered for EventID 4624, and searched for user John.
The answer can be obtained also using the Get-WinEvent
PowerShell cmdlet.
4) What IP does the system connect to when it first starts?
The IP address was located in the Windows Registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.
Alternatively, you can use PowerShell.
Answer: 10.34.2.3
5) What two accounts had administrative privileges (other than the Administrator user)?
Answer: Jenny, Guest
6) Whats the name of the scheduled task that is malicous.
Or we can use Task Scheduler
Answer: Clean file system
7) What file was the task trying to run daily?
To determine what file the "Clean file system" task is attempting to run daily, you can examine the details of this scheduled task using PowerShell. Here’s how you can do it:
Answer: nc.ps1
8) What port did this file listen locally for?
Refer to the output from the previous question. The port number is listed in the Arguments column.
Answer: 1348
9) When did Jenny last logon?
The answer can be obtained also using the Get-WinEvent
PowerShell cmdlet.
I attempted to retrieve Jenny's last login time using Get-WinEvent, but the command produced no output.
Answer: Never
10) At what date did the compromise take place?
During routine system, I discovered an unexpected directory on the C:\ drive containing potentially suspicious files.
Answer: 03/02/2019
11) During the compromise, at what time did Windows first assign special privileges to a new logon?
I filtered between 4:00 PM and 4:30 PM on March 2, 2019, during the time of the attack.
Answer: 03/02/2019 4:04:49 PM
12) What tool was used to get Windows passwords?
Answer: Mimikatz
13) What was the attackers external control and command servers IP?
Navigate to the 'C:\Windows\System32\drivers\etc' directory to access the hosts file. This file acts as a local DNS, allowing your machine to associate hostnames with IP addresses.
Answer: 76.32.97.132
13) What was the extension name of the shell uploaded via the servers website?
Answer: .jsp
14) What was the last port the attacker opened?
Let’s begin by accessing the firewall settings.
First, navigate to ‘Inbound Rules’ on the left. There, you’ll find the initial rule, which allows external connections for development purposes.
Next, right-click on this rule and select Properties
Then, choose Protocols and Ports.
Answer: 1337
15) Check for DNS poisoning, what site was targeted?
Answer: google.com