# Investigating Windows This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised. Connect to the machine using RDP. The credentials the machine are as follows: Username: Administrator\ Password: letmein123! Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up. **1) Whats the version and year of the windows machine?** There are multiple approaches to solving this question. Let's examine them. Access the command prompt and run the `winver`command.

Or using `msinfo32` command

Or through powershell execute `Get-ComputerInfo -Property "os*"`

Answer: Windows Server 2016 2\) Which user logged in last? To identify the last user who logged in on a Windows machine, access Event Viewer, locate Security Logs, filter for EventID 4624, and review the most recent logon event.

The answer can be obtained also using the `Get-WinEvent` PowerShell cmdlet. ``` Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4624} | Select-Object -First 5 | Format-List ```

Answer: Administrator 3\) When did John log onto the system last? I reviewed the Security Logs in Event Viewer, filtered for EventID 4624, and searched for user John.

The answer can be obtained also using the `Get-WinEvent` PowerShell cmdlet. ``` Get-WinEvent -FilterHashtable @{LogName="Security"; ID=4624} | Where-Object { $_.Properties[5].Value -eq "John" } | Select-Object -First 1 | Format-List TimeCreated ```

4\) What IP does the system connect to when it first starts? The IP address was located in the Windows Registry under HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run.

Alternatively, you can use PowerShell. ``` Get-ItemProperty -Path "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run" | Select-Object * ```

Answer: 10.34.2.3 5\) What two accounts had administrative privileges (other than the Administrator user)? ``` Get-LocalGroupMember -Group "Administrators" ```

``` net localgroup Administrators ```

Answer: Jenny, Guest 6\) Whats the name of the scheduled task that is malicous. ``` Get-ScheduledTask | Select-Object TaskName, TaskPath, State, Actions | Format-List | Select-Object -First 5 ```

Or we can use Task Scheduler

Answer: Clean file system 7\) What file was the task trying to run daily? To determine what file the "Clean file system" task is attempting to run daily, you can examine the details of this scheduled task using PowerShell. Here’s how you can do it: ``` Get-ScheduledTask -TaskName "Clean file system" | Select-Object -ExpandProperty Actions ```

Answer: nc.ps1 8\) What port did this file listen locally for? Refer to the output from the previous question. The port number is listed in the Arguments column. Answer: 1348 9\) When did Jenny last logon? ``` net user jenny ```

The answer can be obtained also using the `Get-WinEvent` PowerShell cmdlet. ``` Get-WinEvent -FilterHashtable @{LogName="Security"; Id=4624} | Where-Object {$_.Properties[5].Value -eq "Jenny"} | Select-Object TimeCreated -First 1 ```

I attempted to retrieve Jenny's last login time using Get-WinEvent, but the command produced no output. Answer: Never 10\) At what date did the compromise take place? During routine system, I discovered an unexpected directory on the C:\ drive containing potentially suspicious files.

Answer: 03/02/2019 11\) During the compromise, at what time did Windows first assign special privileges to a new logon? I filtered between 4:00 PM and 4:30 PM on March 2, 2019, during the time of the attack.

Answer: 03/02/2019 4:04:49 PM 12\) What tool was used to get Windows passwords? Answer: Mimikatz 13\) What was the attackers external control and command servers IP? Navigate to the 'C:\Windows\System32\drivers\etc' directory to access the hosts file. This file acts as a local DNS, allowing your machine to associate hostnames with IP addresses.

Answer: 76.32.97.132 13\) What was the extension name of the shell uploaded via the servers website? ``` Get-ChildItem -Path "C:\inetpub\wwwroot\" | Select-Object Name, Extension ```

Answer: .jsp 14\) What was the last port the attacker opened? Let’s begin by accessing the firewall settings.

First, navigate to ‘Inbound Rules’ on the left. There, you’ll find the initial rule, which allows external connections for development purposes.

Next, right-click on this rule and select `Properties` Then, choose `Protocols and Ports.`

Answer: 1337 15\) Check for DNS poisoning, what site was targeted?

Answer: google.com --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://faresbltagy.gitbook.io/footprintinglabs/tryhackme-rooms/investigating-windows.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.