Investigating Windows
A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.
This article provides you the solution for the room Investigating Windows on Try Hack Me (https://tryhackme.com/room/investigatingwindows)
Task 1: Investigating Windows
This is a challenge that is exactly what is says on the tin, there are a few challenges around investigating a windows machine that has been previously compromised.
Connect to the machine using RDP. The credentials the machine are as follows:
Username: Administrator
Password: letmein123!
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
1. What`s the version and year of the windows machine?
Windows Server 20162. Which user logged in last?
Administrator3. When did John log onto the system last?
Answer format: MM/DD/YYYY H:MM:SS AM/PM
03/02/2019 5:48:32 PM4. What IP does the system connect to when it first starts?
10.34.2.35. What two accounts had administrative privileges (other than the Administrator user)?
Answer format: username1, username2
Jenny, Guest6. Whats the name of the scheduled task that is malicous.
Clean file system7. What file was the task trying to run daily?
nc.ps18. What port did this file listen locally for?
13489. When did Jenny last logon?
Never10. At what date did the compromise take place?
Answer format: MM/DD/YYYY
03/02/201911. At what time did Windows first assign special privileges to a new logon? Answer format: MM/DD/YYYY HH:MM:SS AM/PM
03/02/2019 4:04:49 PM12. What tool was used to get Windows passwords?
Mimikatz13. What was the attackers external control and command servers IP?
76.32.97.13214. What was the extension name of the shell uploaded via the servers website?
.jsp15. What was the last port the attacker opened?
133716. Check for DNS poisoning, what site was targeted?
google.com
Thank you for reading. Feel free to contact me on any step
( https://t.me/Kuzuri_03 )