Windows Forensics

Identify persistent threats on a comrpomised Windows machine

By Ren Sie
Posted on November 3, 2024

Refer to Investigating Windows for the challenge room on TryHackMe

Scenario

This challenge involves investigating a previously compromised Windows machine, presenting several key obstacles.

Tasks

#1 What’s the version and year of the windows machine?

By going to "About" in Windows settings, we can find the machine's version and year.

#2 Which user logged in last?

To identify successful logon processes in the Windows Event Log, we will filter for Event ID 4624. Then, we'll check the Security event date before our logon session (2024/11/2) to find the last logged-in user.

Note: Event ID 4625 indicates a failed logon attempt.

#3 When did John log onto the system last?

To determine when the user "John" last logged onto the system, use utility net.

C:\> net user <username>

Note: “Net” is a CLI tool in Windows used for network-related tasks. It can manage network resources, user accounts, and share files or printers.

#4 What IP does the system connect to when it first starts?

I first searched for the DHCP server IP address, which was incorrect. Then I navigated to the SOFTWARE Registry Key (Microsoft\Windows\CurrentVersion\Run), which contains entries for executables that run automatically at startup, and found the correct IP address.

Note: This command executes p.exe with the -s flag, which typically indicates a silent or specific mode of operation. It runs the net user command on a remote machine at IP address 10.34.2.3 and outputs the result to a text file named o2.txt in the same C:\TMP directory.

#5 What two accounts had administrative privileges (other than the Administrator user)?

We can list all accounts in the Administrators group using the PowerShell:

PS C:\> Get-LocalGroupMember -Group "Administrators"

#6 What's the name of the scheduled task that is malicious?

Upon reviewing the scheduled tasks in Task Scheduler, I identified three that appear suspicious.

#7 What file was the task trying to run daily?

The previous screenshot shows a task scheduled to run daily. Clicking on the task reveals more details.

#8 What port did this file listen locally for?

Refer to the previous screenshot.

Note: -l indicates listen.

#9 When did Jenny last logon?

Regarding the third task, we used it to identify John's last logon time.

C:\> net user <username>

#10 At what date did the compromise take place?

Reviewing the creation dates of the scheduled tasks suggests that this is likely the initial compromise date, as attackers typically implement persistence mechanisms after breaching a system.,

#11 During the compromise, at what time did Windows first assign special privileges to a new logon?

While investigating the security logs from the compromise period (3/2/2019, 16:00 – 17:00) and Event ID 4672, which records users logging on with special privileges, we tracked down the event related to the special logon.

Note: Event ID 4672 signifies that a logon session was created with elevated privileges. In this case, it was initiated by the SYSTEM account.
The PrivilegeList shows the specific privileges assigned, which include important rights like SeDebugPrivilege and SeImpersonatePrivilege, indicating that the logon was granted administrator control over the system.

#12 What tool was used to get Windows passwords?

While investigating scheduled tasks in Task Scheduler, I noticed a task named "GameOver" that executes mim.exe every five minutes. Analyzing the arguments reveals it is associated with a known password extraction tool.

NOTE: The command extract and display stored logon credentials from the Windows memory, specifically focusing on the password information of logged-on users. Then it stores the extracted credentials to o.txt

#13 What was the attacker’s external control and command servers IP?

While investigating task #4, I noticed an unusual IP address linked to google.com in the DNS host file (C:\Windows\System32\drivers\etc), likely indicating an external C2 server.

#14 What was the extension name of the shell uploaded via the server’s website?

After investigating another suspicious directory (C:\inetpub\wwwroot), I found several .jsp files likely associated with file extraction. Which the attacker leveraged the JSP file on the victim machine to facilitate data exfiltration to the external server.

NOTE: According to Introduction to JSP on Geeksforgeeks, JSP is used in Java for building dynamic web applications. It combines HTML and Java code, allowing developers to create interactive web pages. When a JSP page is requested, it is first converted into a Java program (a servlet) by the server before being sent to the user.

#15 What was the last port the attacker opened?

Following the hint to investigate the firewall, we found several rules allowing unusual local ports to remain open. And one of them is the answer.

#16 Check for DNS poisoning, what site was targeted?

Refer to task #13 for the domain affected by DNS poisoning.

Share: X (Twitter) Facebook LinkedIn