A Windows machine has been hacked, it’s your job to go investigate this Windows machine and find clues to what the hacker might have done.
Original Publish Date: Mar 1, 2023
What’s the version and year of the Windows machine?
Settings > system > about
windows server 2016
Which user logged in last?
Let’s fire up event viewer and open security logs
From Microsoft docs, we can deduce that we should look for event ID 4624
After sorting by date and looking through the details tab, we found our answer
When did John log onto the system last?
Filtering the above logs for user
John on domain
EC2AMAZ-I8UHO76 will not return anything, so instead of filtering for user, I simply search.
What IP does the system connect to when it first starts?
One of the ways of persisting on the system is adding services and startup apps. Let’s check regedit
What two accounts had administrative privileges (other than the Administrator user)?
net localgroup Administrators
What’s the name of the scheduled task that is malicious?
After opening Task Scheduler, we can see a couple of malicious looking tasks
- falshupdate22 spawns a PowerShell and outputs to a TXT file
- Game Over runs an EXE
- Clean file system executes a PowerShell script
Checking every single one, the script that third one executes looks very conspicuous to me
I’m pasting it to an editor to enable syntax highlighting
Script’s help page says
powercat - Netcat, The Powershell Version
Github Repository: https://github.com/besimorhino/powercat
In the real world, it’s plausible that this would be a connection to a C&C server.
What file was the task trying to run daily?
- check logged in →
- Clean file system →
We can deduct it’s the latter
What port did this file listen locally for?
From the actions page above: 1348
When did Jenny last logon?
At what date did the compromise take place?
It’s safe to assume that previous malicious task would be created after initial compromise
At what time did Windows first assign special privileges to a new logon?
Returning to event viewer, I filter the logs again, but this time with the event ID 4672
There are more than 300 results. To reduce the amount, it would make sense to filter from 2/3/2019 to 6/3/2019
Hint says it follows the format 00/00/0000 0:00:49 PM
What tool was used to get Windows passwords?
Game Over task uses
mim.exe to exfiltrate data. I just guessed it would be mimikatz
But if you don’t want to guess, you can navigate to
C:\TMP then get file’s hash and search on Virus Total
What was the attacker’s external control and command servers IP?
From hacktricks (Interfaces, Routes, Ports, Hosts and DNSCache)
ipconfig /displaydns | findstr "Record" | findstr "Name Host"
What was the extension name of the shell uploaded via the server’s website?
I burned more than 10 minutes on this trying to figure out what this question even meant. Apparently they meant the server we are connected via RDP, not the remote C&C server. So we can look at the webroot to see what it includes.
What was the last port the attacker opened?
The command below didn’t give any useful output. Therefore, back to the event viewer :)
netsh firewall show state
In event viewer, navigate to
Applications and Services Logs\Microsoft\Windows\Windows Firewall with Advanced Security\Firewall
And sorting by date, we have two candidates:
- 8888 → Service Firewall (Not so suspicious rule name)
- 1337 → Allow outside connections for development (Very suspicious rule name :))
Check for DNS poisoning, what site was targeted?
We saw this earlier with the
ipconfig command, but to double-check we can read hosts file and previous IP address is indeed there.
That was it, thank you for reading :)