Investigating Windows
Last updated
Last updated
Lets connect to the machine through RDP using remmina
We are logged in. Lets go to Windows > This PC > (Right Click) Properties
We were the ones who logged in last as the user Administrator.
Lets check when the user John last logged onto the machine
Next lets look for the IP that the system connects to when it first starts. So lets go look for programs that start when the system boots up, lets go to to Start > Regedit > Hkey-Local-Machine > Software > Microsoft > Windows > Current Version > Run. Lets look at the UpdateSvc script.
We have the IP address
To see what other users have Administrative privileges on the system, we can go to Start > User Accounts > Manage Accounts
The other user is Guest
Now lets go find the name of the scheduled task that is malicious. Lets go to Start > Task scheduler > Task Schedule Library.
Looking through the tasks, The Clean file system is the task which is malicious as it clears data every few minutes
The file that is tasked to run daily can be found in the Actions tab
Lets check this script out. Start > This PC > Local Disk > TMP > nc
Does not look well formatted, so lets open this with a app that can make it easier to use, we can open this app by right clicking on the script and clicking edit, the app is Windows PowerShell ISE
The port the file it is listening on was found before
Next lets check when the user Jenny last logged in
The compromise took place when the Game Over script was run, so lets see when that was first run
For the answer to the next questions we need to go to the Event Viewer > Windows Logs > Security > Filter Current Logs > Type in 4624 (The ID for all the logs that are logging in related) > Now click on the Data and Time tab to get the first logs on top.
Now I did not know which one it was, so I looked at the hint which said that it ended with :49 PM, so lets look for it. And I found it
We saw that the scheduler was Mimikatz, so that is the tool used to get Windows passwords.
We can find the external control and command server IP address of the attacker by looking at the hosts file on the machine. This can be found at C:\Windows\System32\drivers\etc\hosts. Looking at the file there are two interesting sites that are set a unique IP address
To find the extension of the shell uploaded via the servers website we have to go to Local Disk > inetpub > wwwroot
The extension is .jsp
To find the last port the attacker opened we need to go to Windows Firewall > Inbound Rules.
Lets look at the properties of the selected rule as we might see what port the attacker used last as they might have changed the port and not change it back
Looks like we found the port
The site that was targeted for DNS poisoning was google.com as we saw earlier in the hosts file
