Skip to content

Latest commit

 

History

History
61 lines (34 loc) · 2.25 KB

InvestigatingWindows.md

File metadata and controls

61 lines (34 loc) · 2.25 KB

Investigating Windows - Easy

  • As the machine starts, we can check that it tries to connect to a certain IP.

  • We can check the system info from the Settings.

  • To view the user login history, we can check Events Viewer > Windows Logs > Security; sort by date and time.

#to find last login for user
net user John | findstr /B /C:"Last logon"

net user Jenny | findstr /B /C:"Last logon"

#to find accounts with admin privileges
net localgroup administrators

  • To find scheduled tasks on Windows, we can check Task Scheduler; we can view more info like Triggers and Actions for each task.

  • To view the events in Event Viewer for assignment of special privileges to a logon, we can use filters for Event ID 4672, and select the oldest event according to the format given in the hint.

  • The attackers IP and the targeted site can be found in the /etc/hosts file, stored in the System32 drivers folder in Windows.

  • Similarly, we have to go through the files in the system drive; the inetpub folder contains files with .jsp extensions.

  • The last port that the attacker opened can be viewed in Windows Firewalls, in the first entry itself.

1. What's the version and year of the Windows machine? - Windows Server 2016

2. Which user logged in last? - Administrator

3. When did John log onto the system last? - 03/02/2019 5:48:32 PM

4. What IP does the system connect to when it first starts? - 10.34.2.3

5. What two accounts had administrative privileges (other than the Administrator user)? - Jenny, Guest

6. What's the name of the scheduled task that is malicious? - Clean file system

7. What file was the task trying to run daily? - nc.ps1

8. What port did this file listen locally for? - 1348

9. When did Jenny last logon? - Never

10. At what date did the compromise take place? - 03/02/2019

11. At what time did Windows first assign special privileges to a new logon? - 03/02/2019 04:04:49 PM

12. What tool was used to get Windows passwords? - mimikatz

13. What was the attackers' external control and command servers' IP? - 76.32.97.132

14. What was the extension name of the shell uploaded via the servers website? - .jsp

15. What was the last port the attacker opened? - 1337

16. Check for DNS poisoning, what site was targeted? - google.com