Investigating Windows – TryHackMe Defensive Security Challenge
This is a Walkthrough for the Investigating Windows Digital Forensics TryHackMe challenge room. The writeup is meant to offer short and concise solutions, and also offering an extended explanation right after the answer for those interested in finding out more about the solution to a specific task.
Introduction
The description of the room is the following:
A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.
The room has us running commands and investigating logs after a Windows machine was compromised. To do this we will use the Windows Command Line, the Powershell, the Registry, and the Windows Event Viewer to examine Security Logs. Sysmon was not available for use in this machine.
Task 1: Whats the version and year of the windows machine?
We need to run the following command:
systeminfo
The answer is
Windows Server 2016
Task 2: Which user logged in last?
There are two ways of doing this: checking either Security Logs or using the Powershell. Let's do both.
Powershell
By using the command
Get-LocalUser | Select Name, LastLogon
We will be shown a list with all users and their last logon. We choose the most recent one.
Name LastLogon
---- ---------
Administrator 2/22/2026 9:41:12 PM
DefaultAccount
Guest
Jenny
John 3/2/2019 5:48:32 PM
Security Logs
This is more complex as it requires us to examine Security Logs in the Windows Event Viewer. This machine, however, contains tens of thousands of Security Logs. We can filter them by Event ID 4624, which corresponds to Successful Logon events. In the previous task, we found out that the domain for the machine was EC2AMAZ-I8UHO76, so the account in question's domain has to be this one. We need to find the latest one.
Regardless of method, the answer is:
Administrator
Task 3: When did John log onto the system last?
See the previous task. The answer format: MM/DD/YYYY H:MM:SS AM/PM (the Windows machine already provides dates in this format).
We can also use the Command Line with the following command:
net user John
Answer:
03/02/2019 5:48:32 PM
Task 4: What IP does the system connect to when it first starts?
For this, we have to take a look at the Registry. Specifically, the following key:
HKEYLOCALMACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
This contains a value named UpdateSvc that is running a process:
C:\TMP\p.exe -s \\10.34.2.3 'net user' > C:\TMP\o2.txt
We know this is not normal Windows behavior at all, as it is sending user information to a file created in a directory called “Tmp”. The answer to our task is right there:
10.34.2.3
Task 5: What two accounts had administrative privileges (other than the Administrator user)?
We can find out about this using the Powershell again, by running the following command:
Get-LocalGroupMember -Group "Administrators"
We get the following output:
ObjectClass Name PrincipalSource
User EC2AMAZ-I8UHO76\Administrator Local
User EC2AMAZ-I8UHO76\Guest Local
User EC2AMAZ-I8UHO76\Jenny Local
The answer is in the following format: “[...], [...]“, in alphabetical order:
Guest, Jenny
Task 6: Whats the name of the scheduled task that is malicious.
I tried to find it in the Event Viewer by using Event ID 4698 (Scheduled Task Creation), but it returned no result, meaning that it could have been cleared. For this, we need to use Task Scheduler.
We will eventually find a task named “Clean file system”, which definitely sounds like a custom task, and it is run by Administrator at 4:55 PM every day. It runs: C:\TMP\nc.ps1 -l 1348 Judging by the name and the argument, it looks like the Powershell is trying to run a shell listener (most likely netcat).
Answer:
Clean file system
Task 7: What file was the task trying to run daily?
See above Answer:
nc.ps1
Task 8: When did Jenny last logon?
See Task 3. As nothing appears on the “LastLogon” field, it means never. Alternatively, the command “net user Jenny” explicitly says Never.
Answer:
Never
Task 9: At what date did the compromise take place?
This is a tricky one as we do not have an answer by itself, so we need to surmise it by context. If we take a look at Event ID 4732 (Member added to a security group) we will see that the user John was added to Users. This is done automatically when a user is created. By taking a look at the properties regarding the creation of processes, folder creation, scheduled task, and registry values of previous tasks, we can find that all happened on the same day, 03/02/ 2019. We also know that the user Jenny is an administrator, yet this user has never logged in... weird for an administrator to do. When we used the command of Task 8, we found that Jenny's “Password last set” attribute was on 03/02/ 2019. If Jenny's password was last set on that day, and Jenny never logged in, we can presume that's the day the user Jenny was created. These are actually common Persistence techniques used in attacks (MITRE ATT&CK ID T1136 – Create Account and ID T1098 – Account Manipulation)
Answer format: MM/DD/YYYY
03/02/2019
Task 10: During the compromise, at what time did Windows first assign special privileges to a new logon?
Using the Event Viewer, we can filter by Event ID. I first tried using IDs 4720 and 4732, but had no luck. Then I filtered the following: Event ID 4672 (Special Privileges Assigned to new Logon)
We will have to check the details for these, or use the hint TryHackMe provides (it occurs at ?:??:49) The answer is:
03/02/2019 4:04:49 PM
Task 11: What tool was used to get Windows passwords?
On previous tasks, one folder kept coming up: \TMP\. This seems to be the place files relevant for the attack are being kept.
The folder contains several files: .tmp, .exe, .ps1, and .txt.
Taking a look at the Text files, we find “mim-out.txt”. If we read it, we'll find that we are looking at Mimikatz output. Mimkatz is a credential stealer.
Answer:
Mimikatz
Task 12: What was the attackers external control and command servers IP?
If there is a Control and Command server, we need to check a file that contains the DNS mappings for the machine. This would be the etc\hosts file. On this machine, the file can be found at C:\Windows\System32\drivers\etc. The contents of the file are:
10.2.2.2 update.microsoft.com**76.32.97.132** does not seem to be the correct IP for google.com. This is most likely DNS poisoning - every time the machine tries to reach google.com, it will be redirected to a fake website posing as google. Answer:
127.0.0.1 www.virustotal.com
127.0.0.1 www.www.com
127.0.0.1 dci.sophosupd.com
10.2.2.2 update.microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.www.com
127.0.0.1 dci.sophosupd.com
10.2.2.2 update.microsoft.com
127.0.0.1 www.virustotal.com
127.0.0.1 www.www.com
127.0.0.1 dci.sophosupd.com
76.32.97.132 google.com
76.32.97.132 www.google.com
76.32.97.132
Task 13: What was the extension name of the shell uploaded via the servers website?
If we take a look at the directories in the machine, we will find inetpub, which is used by IIS, a web server from Microsoft. Inside we can find the wwwroot folder, which will contain all the server files. We will also find a file named “shell.jsp”.
Answer:
.jsp
Task 14: What was the last port the attacker opened?
Check firewall rules. Latest one is called “Allow outside connection for development”, on Local Port 1337. Answer:
1337
Task 15: Check for DNS poisoning, what site was targeted?
See Task 13, the etc\hosts file. A:
google.com
Congratulations! The room is finished.
Conclusion
This was actually an entertaining room! Unlike other Blue Team rooms I've completed in the past, this one clearly had more of a focus on Post-Incidents activities rather than Prevention or Detection in real-time. I had to learn new Event IDs, learn to keep the etc\hosts file in mind, especially when C2 and DNS Poisoning are suspected, and how to manually investigate a machine, instead of relying on automatic logs.