The post is a walkthrough of a digital forensics investigation on a Windows system through a lab on TryHackMe named “TryHackMe Investigating Windows“
E-learn Junior Penetration Tester (eJPTv2) Study Notes
Overview of TryHackMe Investigating Windows
Purpose:
- Investigate an infected Windows machine.
- Identify how it was compromised, what files or scripts caused the infection, and uncover attacker activity.
- Assume the role of a forensic investigator.
Key Tools Used:
- Remote Desktop (via Kali Linux).
- Windows built-in tools: Command Prompt, Event Viewer, Task Scheduler, and Registry Editor.
Key Steps in the Investigation
System Information Check:
- Verified the OS: Windows Server 2016 Data Center.
- Confirmed user accounts (
administrator,jenny, andjohn) and their last login times.
Event Logs Analysis:
- Searched Event Viewer logs for suspicious activity using IDs like:
4648: Logon attempts.4672: Special privilege assignments.
- Found timestamps tied to login and attacker activities.
Task Scheduler Examination:
- Discovered malicious scheduled tasks:
- Game Over: Runs Mimikatz to capture credentials every 5 minutes.
- Clean File System: Executes PowerShell scripts to listen for incoming connections on port
1348.
Registry Keys and Startup Scripts:
- Identified a malicious registry key in
HKEY_LOCAL_MACHINEthat executed a script at startup, connecting to an IP (10.34.2.3).
Firewall Rules Review:
- Found open ports:
- 1337: Used for attacker connections.
- 1348: Used by a PowerShell listener.
DNS Poisoning Evidence:
- Discovered DNS poisoning in the
hostsfile:- Redirected traffic from legitimate sites (e.g.,
google.com) to a malicious IP.
- Redirected traffic from legitimate sites (e.g.,
Findings
Attack Methodology:
- The attacker uploaded a reverse shell to the web server.
- Scheduled tasks were used to collect credentials (via Mimikatz) and maintain persistent access.
- Connections to the command-and-control (C2) server were established via malicious scripts.
Compromise Date: March 2, 2019.
Malicious Files:
- Files like
nc.ps1andmim.exewere discovered, used for persistence and credential theft.
Indicators of Compromise (IoCs):
- IPs:
10.34.2.3. - Ports:
1337and1348.
Steps to Secure the System
Remove Malicious Files:
- Delete the scheduled tasks,
nc.ps1, andmim.exe.
Clean Registry:
- Remove startup scripts pointing to malicious executables.
Fix DNS Poisoning:
- Restore the legitimate
hostsfile.
Close Vulnerable Ports:
- Delete firewall rules allowing access to ports
1337and1348.
TryHackMe Investigating Windows | Room Answers
Whats the version and year of the windows machine?
Windows Server 2016
Which user logged in last?
Administrator
When did John log onto the system last?
Answer format: MM/DD/YYYY H:MM:SS AM/PM
03/02/2019 5:48:32 PM
What IP does the system connect to when it first starts?
10.34.2.3
What two accounts had administrative privileges (other than the Administrator user)?
Answer format: username1, username2
Jenny, Guest
Whats the name of the scheduled task that is malicous.
Clean file system
What file was the task trying to run daily?
nc.ps1
What port did this file listen locally for?
1348
When did Jenny last logon?
Never
At what date did the compromise take place?
Answer format: MM/DD/YYYY
03/02/2019
During the compromise, at what time did Windows first assign special privileges to a new logon?
Answer format: MM/DD/YYYY HH:MM:SS AM/PM
03/02/2019 4:04:49 PM
What tool was used to get Windows passwords?
Mimikatz
What was the attackers external control and command servers IP?
76.32.97.132
What was the extension name of the shell uploaded via the servers website?
.jsp
What was the last port the attacker opened?
1337
Check for DNS poisoning, what site was targeted?
google.com
