TryHackMe: Investigating Windows Walkthrough

Onur Alp Akin
5 min readApr 13, 2023

A Windows machine has been hacked, it’s your job to go investigate this Windows machine and find clues to what the hacker might have done.

Original Publish Date: Mar 1, 2023

What’s the version and year of the Windows machine?

Settings > system > about

windows server 2016

Which user logged in last?

Let’s fire up event viewer and open security logs

From Microsoft docs, we can deduce that we should look for event ID 4624

After sorting by date and looking through the details tab, we found our answer

When did John log onto the system last?

Filtering the above logs for user John on domain EC2AMAZ-I8UHO76 will not return anything, so instead of filtering for user, I simply search.

What IP does the system connect to when it first starts?

One of the ways of persisting on the system is adding services and startup apps. Let’s check regedit


What two accounts had administrative privileges (other than the Administrator user)?

From hacktricks

net localgroup Administrators

What’s the name of the scheduled task that is malicious?

After opening Task Scheduler, we can see a couple of malicious looking tasks

  • falshupdate22 spawns a PowerShell and outputs to a TXT file
  • Game Over runs an EXE
  • Clean file system executes a PowerShell script

Checking every single one, the script that third one executes looks very conspicuous to me

I’m pasting it to an editor to enable syntax highlighting

Script’s help page says

powercat - Netcat, The Powershell Version
Github Repository:

In the real world, it’s plausible that this would be a connection to a C&C server.

What file was the task trying to run daily?

It’s either:

  • check logged in → iexplorer.exe
  • Clean file system → nc.ps1

We can deduct it’s the latter

What port did this file listen locally for?

From the actions page above: 1348

When did Jenny last logon?

At what date did the compromise take place?

It’s safe to assume that previous malicious task would be created after initial compromise

At what time did Windows first assign special privileges to a new logon?

Returning to event viewer, I filter the logs again, but this time with the event ID 4672

There are more than 300 results. To reduce the amount, it would make sense to filter from 2/3/2019 to 6/3/2019

Hint says it follows the format 00/00/0000 0:00:49 PM

What tool was used to get Windows passwords?

Game Over task uses mim.exe to exfiltrate data. I just guessed it would be mimikatz

But if you don’t want to guess, you can navigate to C:\TMP then get file’s hash and search on Virus Total

What was the attacker’s external control and command servers IP?

From hacktricks (Interfaces, Routes, Ports, Hosts and DNSCache)

ipconfig /displaydns | findstr "Record" | findstr "Name Host"

What was the extension name of the shell uploaded via the server’s website?

I burned more than 10 minutes on this trying to figure out what this question even meant. Apparently they meant the server we are connected via RDP, not the remote C&C server. So we can look at the webroot to see what it includes.

What was the last port the attacker opened?

The command below didn’t give any useful output. Therefore, back to the event viewer :)

netsh firewall show state

In event viewer, navigate to

Applications and Services Logs\Microsoft\Windows\Windows Firewall with Advanced Security\Firewall

And sorting by date, we have two candidates:

  • 8888 → Service Firewall (Not so suspicious rule name)
  • 1337 → Allow outside connections for development (Very suspicious rule name :))

Check for DNS poisoning, what site was targeted?

We saw this earlier with the ipconfig command, but to double-check we can read hosts file and previous IP address is indeed there.

type C:\WINDOWS\System32\drivers\etc\hosts