Monday, April 24, 2023

THM - Investigating Windows


This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.


Whats the version and year of the windows machine?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

Which user logged in last?
Get-LocalUser | Select Name, Lastlogon

When did John log onto the system last?
We can get that info from our last command

What IP does the system connect to when it first starts?
There will be a cmd pop up upon system login with the IP

What two accounts had administrative privileges (other than the Administrator user)?
net localgroup administrators

Whats the name of the scheduled task that is malicious.
Check the scheduled tasks, there will be a few obvious ones which stick out! Check the actions of each.

What file was the task trying to run daily?
Found under the actions of the malicious task.

What port did this file listen locally for?
Found under the actions of the malicious task.

When did Jenny last logon?
We can use
Get-LocalUser | Select Name, Lastlogon
Check the Security Log in EventViewer and filter for Jenny and EID 4624

At what date did the compromise take place?
Something was created for persistence, when?

At what time did Windows first assign special privileges to a new logon?
Search EID 4672 under the security log.

What tool was used to get Windows passwords?
We can find that within the TMP folder the attackers created.

What was the attackers external control and command servers IP?
Check the hosts file for any potential changes made by the attacker

What was the extension name of the shell uploaded via the servers website?
Check wwwroot

What was the last port the attacker opened?
Check the firewall rules for inbound, there are a few suspicious ports being opened to allow inbound connectivity.

Check for DNS poisoning, what site was targeted?
We found this within the hosts file.

THM - Windows Forensics 1

Scenario One of the Desktops in the research lab at Organization X is  suspected to have been accessed by someone unauthorized. Although the...