Aly Khaled

Aly Khaled

Cybersecurity Researcher @ Resecurity, Jr Penetration Tester, .NET Core Backend Developer, Computers and Automatic Control Graduate

Investigating Windows

2 minute read

Hello Buddies …

Welcome to the first windows room in TryHackMe check it

INTRO

What is Windows server?

  • Windows Server refers to any type of server instance that is installed, operated and managed by any of the Windows Server family of operating systems. Windows Server exhibits and provides the same capability, features and operating mechanism of a standard server operating system and is based on the Windows NT architecture……Read more.

SUMMARY

  • We gonna learn how to investigate windows.

Let’s start…
It’s important to read every task content..



Whats the version and year of the windows machine?

go to start menu >> settings >> system >> about

Ans: Windows Server 2016

Which user logged in last?

Actually it’s the user we already logged with

Ans: Administrator

When did John log onto the system last?

open your cmd and type net user John

Ans: 03/02/2019 5:48:32 PM

What IP does the system connect to when it first starts?

well, I didn’t know how to get that but nothing called i don’t know so let’s find out with our dear google… after some search about how to know the state of the machine when it’s starts and it’s the SOFTWARE subkey of the HKLM and after more search I found this document so run cmd >regedit>Yes then go to Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Ans: 10.34.2.3

What two accounts had administrative privileges (other than the Administrator user)?

Right click on menu bar > Computer Managment > Local Users and Groups > Groups > Administartors

Ans: Jenny, Guest

Whats the name of the scheduled task that is malicous.?

Just search for Task Scheduler in Task Scheduler Library a suspicious task running nc.ps1 it’s a net cat

Ans: clean file system

What file was the task trying to run daily?

We knew from previous question its nc.ps1
Ans: nc.ps1

What port did this file listen locally for?

Ans: 1348

When did Jenny last logon?


Ans: Never

At what time did Windows first assign special privileges to a new logon?

I found an interesting site I searched in the site for assign special privileges to a new logon

so its event id 4672. On windows Search for event viewer > secuity search for the event id 4672.

Ans: 03/02/2019 4:04:49 PM

At what date did the compromise take place?

Ans: 03/02/2019

What tool was used to get Windows passwords?

In Task Scheduler there is another suspicious task called GameOver

Ans: Mimikatz

What was the attackers external control and command servers IP?

Let’s check hosts file go to C:\Windows\System32\drivers\etc open hosts ile with notepad.

Ans: 76.32.97.132

What was the extension name of the shell uploaded via the servers website?

Since default webserver is IIS so I went to C:\inetpub\wwwroot\

Ans: .jsp

What was the last port the attacker opened?

Go to Windows Defender Firewall with Advanced Security the inbound rules and check the port of first rule

Ans: 1337

Check for DNS poisoning, what site was targeted?

It was in hosts file
Ans: google.com

Categories:

Updated: