Investigating Windows

Task: Investigating a windows machine that has been previously compromised.

At Windows system, Basic information like Windows Version, OS Build, Installed Hardware Information etc. can be found from the Windows Settings > System > About or Type “systeminfo” on Command Prompt.

Basic Information of Windows OS
Challenge Question: Whats the version and year of the windows machine?
Answer: Windows Server 2016

Windows Event Logs is a comprehensive record of the windows system and it’s applications. A windows log contains the source of the log, date and time, user details, Event ID etc.

Event logs can be viewed by “Event Viewer” comes preinstalled with Windows OS.

Event logs are mainly three types –
Application: Contains the logs occurs by an application.
Security: Contains the logs regarding any security events like Login, Logoff etc.
System: Contains the logs generated by Operating system itself. Example: Failure of a driver.

Last logged in user details & timestamp related logged in can be found under the Event Viewer > Security section. Then use Event ID:4624 as a filter to sort the logged in related logs. And use Event ID:4672 for timestamp related information about Special privileged assigned to a new logon.

Event ID 4624: An account was successfully logged in
Event ID 4672: Special privileges assigned to new logon

Event Logs regarding Successful Logged In.
Challenge Question: Which user logged in last?
Answer: Administrator
Challenge Question: At what time did Windows first assign special privileges to a new logon?
Answer: 03/02/2019 4:04:49 PM

To know about a user information like Last logged on, Local or Global group, password related information etc., we can use “net user” command with the username from the command prompt. Only “net user” command helps us to know about the available users of the system.

net user John
Last Logon information of user John
Challenge Question: When did John log onto the system last?
Answer: 03/02/2019 5:48:32 PM
Challenge Question: What two accounts had administrative privileges (other than the Administrator user)?
Answer: Jenny, Guest
Challenge Question: When did Jenny last logon?
Answer: Never

Windows Task Scheduler is a inbuilt tool that enables you to create and execute a automatically schedule any task on your system. Most of the time malware use this features to do it’s bad things on your system.

To know about the active scheduled task on system. Launch Task Scheduler > Task Scheduler Library. By clicking on a scheduled task from the list you will able to see more details about the scheduled task like created timestamp of the task, action or related commands of the task etc.

Windows Task Scheduler
Challenge Question: Whats the name of the scheduled task that is malicious.
Answer: Clean file system
Challenge Question: What file was the task trying to run daily?
Answer: nc.ps1
Challenge Question: What port did this file listen locally for?
Answer: 1348
Challenge Question: At what date did the compromise take place?
Answer: 03/02/2019

There is a question on lab i.e. What tool was used to get Windows passwords?. To answer this question, I investigate the automated task from Task Scheduler. I noticed there is a task called “GameOver” under the action tab I saw there is a executable called “mim.exe” located at TMP directory of the system it triggered every 5 min and save the output at o.txt file located at same directory. When I investigate that text file (o.txt) I saw “mimikatz” tool is used for capturing windows password.

Evidence related to Mimikatz
Challenge Question: What tool was used to get Windows passwords?
Answer: Mimikatz

Windows registry is a type of database that contains information & settings regarding installed software and hardware of a system. “Registry Editor” is used to view this registry information from your system.

HKEY_CLASSES_ROOT: Contain the file type, extension etc. related information.
HKEY_CURRENT_USER: Contain settings of a logged in users.
HKEY_LOCAL_MACHINE: Contain information about installed hardware, software and their related settings.
HKEY_USERS: Contain information about the all users present on the system.
HKEY_CURRENT_CONFIG: Contains the Hardware profile

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
This registry key can control the programs to run each time that a user logged on. This key is also used by malware to become persistence on the system.

Startup Command in Registry Key

Challenge Question: What IP does the system connect to when it first starts?
Answer: 10.34.2.3

Windows hosts file is used for maps the server or hostname to IP addresses.
In windows the location of the hosts file is C:\Windows\System32\drivers\etc\hosts

Windows Hosts file
Challenge Question: What was the attackers external control and command servers IP?
Answer: 76.32.97.132
Challenge Question: Check for DNS poisoning, what site was targeted?
Answer: google.com

Windows firewall’s Inbound Rules defend the network against the incoming traffic. It is always helpful to save your system from malware or DDOS related attacks. It also contains the details of the port and address of the local and remote server.

Windows Firewall Inbound Traffic Rules

Microsoft uses IIS (Internet Informaion Services) as a default web server on the Windows. inetpub is the default folder situated under C:\inetpub. It contains the webserver’s content. wwwroot is a subfolder placed under the inetpub (C:\inetpub\wwwroot) holds all the content like of a webpages.

Challenge Question: What was the extension name of the shell uploaded via the servers website?
Answer: .jsp

That’s all!!

 

Thanks for !

%d bloggers like this: