Scribd
Upload
104 views10 pages

Investigating Windows

The document outlines a step-by-step guide for investigating a Windows machine, detailing tasks such as connecting via RDP, checking user logins, and identifying malicious activities. Key findings include the identification of a malicious task named 'Clean File System' and the use of 'mimikatz' for password retrieval. The investigation also reveals important timestamps and IP addresses related to the compromise.

Uploaded by

clauvinsalexander
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
104 views10 pages

Investigating Windows

The document outlines a step-by-step guide for investigating a Windows machine, detailing tasks such as connecting via RDP, checking user logins, and identifying malicious activities. Key findings include the identification of a malicious task named 'Clean File System' and the use of 'mimikatz' for password retrieval. The investigation also reveals important timestamps and IP addresses related to the compromise.

Uploaded by

clauvinsalexander
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

Investigating Windows:

Step 1: RDP Connect to the Machine


Remote Desktop Protocol is a protocol used to establish remote graphical
sessions over the network.

Step 2: What's the Version and Year of the windows machine?

Settings → About

Step 3: Who was the last person Logged into this machine

Investigating Windows: 1
Administrator
Windows Administrative Tools → Event Viewer → Windows Logs → Security Logs
4624 is the Code for a Successful Login

Step 4: When did the User “John” Last Logon

Investigating Windows: 2
Step 5: What IP does the system connect to when it first starts

Suspicious pointers to other IPs from localhost


First time using something called the registry Editor:

Investigating Windows: 3
Bare with me, long file path: Open Registry Editor then go,
HKEY_LOCAL_MACHINE → Software → Microsoft → Windows → CurrentVersion
→ Run (I didn’t know this existed at all, shoutout google) Basically this shows the
software run configuration of your machine

Step 6: What two accounts had Admin Privileges other than Administrator

Investigating Windows: 4
When GUI fails, command Line it is

Step 7: What's the name of the task that’s malicious

Clean File System is the malicious task

Step 8: Which file was the task trying to run daily/What Port does it Listen for?

Investigating Windows: 5
nc.ps1, listening on port 1348

Step 9: When did Jenny Last Logon

never

Step 10: When did the compromise occur?

When know the script is in TMP directory

Investigating Windows: 6
Created on 03/02/2019

Step 11: During the Compromise, at what time did windows first assign special
privileges to a new logon? Back to the great event viewer.

Step 12: Which tool was used to get User Passwords?

Let’s check that TMP Directory again, mimikatz is the answer

Step 13: What was the attackers external C2 servers IP

Investigating Windows: 7
Remember this? Lets check those IPs for each DNS

Hmmmm that doesn’t match

Step 14: What was the extension name of the shell uploaded via the servers
website?

Investigating Windows: 8
What is .jsp?

Step 15: What was the last port the attacker opened?

Investigating Windows: 9
Windows Firewall → Inbound Rules → Filter by Group → Rules without a group →
Allow outside connections for development → Protocols and Ports → 1337

Step 16: Check for DNS Poisoning


Well we did this earlier its google.com

Congrats, you have passed this room and learned a lot along the way.

Investigating Windows: 10

You might also like