Harpocrat3s

My ethical hacking journey

investigating windows banner tryhackme

TryHackMe – Investigating Windows writeup

In Blue team, THM

First room of a series about Investigating Windows, it was very useful to practice some of the things I’ve been learning recently about Windows forensics. In particular, this machine (and possibly the other 2 in the series) doesn’t let you use software like Autopsy, Redline, Sysmon, etc. So it’s all manual work using several Windows native tools to gather the needed information about the compromise.

Table of Contents

Scenario

You’re a security analyst for a mid-size company. Its your job to investigate some previously attacked Windows machines to determine how and what the attacker did with minimal tools at your disposal. Do you have what it takes to solve these cyber defense challenges?

Investigation

  • Whats the version and year of the windows machine?

I found the answer in the Windows registry, at SOFTWARE\Microsoft\Windows NT\CurrentVersion:

  • Which user logged in last?

Answer in the Windows Registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI

Under this key, there is a value called LastLoggedOnUser, which stores the last connected user’s information in the format DOMAIN\Username:

  • When did John log onto the system last?

The answer is found using the Command Prompt, with: net user John

If one is not sure that John is the proper username of the user, the command net user would give the list of all the users on the machine.

Alternatively, one can use the Windows Event Viewer and check the logs for users’ logon using the EventID 4624 and, in this case, use the “Find” function and search for the keyword “John”:

  • What IP does the system connect to when it first starts?

As soon as the system starts, you can see a Command Prompt window that runs a command to connect to a specific IP address. In case one misses it, or in case you are doing an investigation where you find the machine already turned on, you can check the machine’s startup software in the windows registry at
SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Here it’s possible to see the IP to which the executable connects to looking at its command line parameters.

  • What two accounts had administrative privileges (other than the Administrator user)?

Answer found in the Windows Computer Management utility, by looking at the properties of the Group ‘Administrators’:

  • Whats the name of the scheduled task that is malicous.

There were several ones, but Clean File System was the correct answer:

  • What file was the task trying to run daily?
  • What port did this file listen locally for?

nc.ps1 and port 1348, as shown in the above screenshot

 

  • When did Jenny last logon?

The answer (Never) is found with net user Jenny (similarly to a previous question):

  • At what date did the compromise take place?

The answer is found by collating several clues, like the date on which those scheduled tasks were created, same as the malicous files in the C:\TMP\ folder, and the users Jenny and John were created/set their password (shown in previous screenshots too):

  • At what time did Windows first assign special privileges to a new logon?

There is an event ID that is logged in Windows when special privileges are assigned to a new logon session. The event ID is 4672, which is logged in the “Security” log in the Windows Event Viewer.

Event ID 4672 is logged when a user is granted a new privilege or when an existing privilege is modified. This can occur when a user logs on to the machine or when a process is started with elevated privileges. The event includes information about the user and the privilege that was assigned, as well as the name of the process that initiated the assignment:

  • What tool was used to get Windows passwords?

Mimikatz (there’s a mim.exe file in the Scheduled Tasks that has an output file in the TMP folder). The file shows the mimkatz header. This is a screenshot of the scheduled task that shows this info too:

  • What was the attackers external control and command servers IP?
  • Check for DNS poisoning, what site was targeted?

For answering both questions we need to look at the Windows hosts file at C:\Windows\System32\drivers\etc\hosts, where the attackers added an entry with the IP address of their C2 masquerading as google.com:

  • What was the extension name of the shell uploaded via the servers website?

Accessing the folder of the website on this webserver will give the answer, as some suspicious files are left in there:

  • What was the last port the attacker opened?

In Windows Firewall with Advanced Security it’s possible to see the opened ports in the Monitoring section. The port at the top is the last one opened, but it caught my eye as soon as I saw it because it’s a “famous” port in the hacking community, the port number 1337.

Conclusion

This was a nice room to practice my Windows Forensics skills, I’m looking forward to doing the next 2 rooms in the series.

# # # # # # # # # # # # #

Related Posts

TryHackMe – ItsyBitsy writeup

TryHackMe – Warzone 1 writeup

TryHackMe – Warzone 2 writeup

TryHackme – Mr. Robot writeup