Introduction
This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.
Questions
Whats the version and year of the windows machine?
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Which user logged in last?
Get-LocalUser | Select Name, Lastlogon
When did John log onto the system last?
We can get that info from our last command
What IP does the system connect to when it first starts?
There will be a cmd pop up upon system login with the IP
What two accounts had administrative privileges (other than the Administrator user)?
net localgroup administrators
Whats the name of the scheduled task that is malicious.
Check the scheduled tasks, there will be a few obvious ones which stick out! Check the actions of each.
What file was the task trying to run daily?
Found under the actions of the malicious task.
What port did this file listen locally for?
Found under the actions of the malicious task.
When did Jenny last logon?
We can use Get-LocalUser | Select Name, Lastlogon
Or
Check the Security Log in EventViewer and filter for Jenny and EID 4624
At what date did the compromise take place?
Something was created for persistence, when?
At what time did Windows first assign special privileges to a new logon?
Search EID 4672 under the security log.
What tool was used to get Windows passwords?
We can find that within the TMP folder the attackers created.
What was the attackers external control and command servers IP?
Check the hosts file for any potential changes made by the attacker
What was the extension name of the shell uploaded via the servers website?
Check wwwroot
What was the last port the attacker opened?
Check the firewall rules for inbound, there are a few suspicious ports being opened to allow inbound connectivity.
Check for DNS poisoning, what site was targeted?
We found this within the hosts file.
