Investigating Windows
A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.
| Profile | Support |
|---|---|
 |
Task 01: Investigating Windows
Explanation
Flg 2
looking into eventviewer log for EventID 4624. Ref: read
Flag 3
open CMD -> type net user John
look for Last Logon
Flag 4
while booting up we see the IP in CMD
Flag 5
CMD: net localgroup administrators
FLag 6
open task scheduler and look for names that sticks out.
FLag-7
dig more with clean file system
FLag 8
Args
FLag 9
FLag 10
check the file create date of Flag7
FLag 11
looking 10 min (before-after for any special logon)
PS: use Get-EventLog Date Range with XPath Filter
FLag 12
GameOver is another Task Scheduled. opon investigation / running it like an Idiot you’ll see the banner that tells you the Name of the tool.
mim.exe
FLag-13
this machine doesnot have SYSMON, and took me 40 min to figure out where to look, long story short there is google.com is hardcoded to 76.32.97.132 that’s suspicious.
FLag 14
Default web dir in Windows is c:\inetpub\wwwroot found the file backddoors there (jsp is the ans.)
FLag 15
Rookie 0x1337 Hax0r mistake of using port 1337
PS: in Windows port can be open/close manually using Windosws built in firewall rules.
FLag 16
Ans is from Flag-13, hardcoded known domain name.
