Today We are going to reveal first part of the series investigating windows. Here is the situation,A windows server has been hacked and we have to analyse the malware and find out what's happening on the pc.Here we have been given a servers remote access with IP,username and password.So first let's login to the system here i am using reminna. First task is
Whats the version and year of the windows machine?
Answer: You can simply go to settings> about pc . The answer is windows server 2016
Task 2:Which user logged in last?
Answer: Go to cmd > net user . The Answer is Administrator.
Task 3: When did John log onto the system last? Answer format: MM/DD/YYYY H:MM:SS AM/PM
Answer: go to cmd > net user > net user john . The answer is 03/02/2019 5:48:32 PM
Task 4:What IP does the system connect to when it first starts?
Answer: 10.34.2.3
Task 5:What two accounts had administrative privileges (other than the Administrator user)?
Answer: Go to cmd > net localgroup administratros. The answer is jenny and guest.
Task 6:Whats the name of the scheduled task that is malicous.
Answer: Go to the task Scheduler. When looking on every file there is a file called Clean file system which is running from /tmp folder.when we run the task it pops up with a power-shell script.so this is the malicious task.
Task 7:What file was the task trying to run daily?
Answer: This is the file name which was running from the /tmp folder. The answer is nc.ps1
Task 8:What port did this file listen locally for?
Answer:If we see the location there is a port number alongside with the location and file name.The answer is 1348
Task 9:When did Jenny last logon?
Answer: Go to cmd > net user jenny. The answer is never.
Task 10:At what date did the compromise take place?(Answer format: MM/DD/YYYY)
Answer: If we see the creation time in task sceduler for nc.ps1 we can see that it 2019. We know windows id for special privileges is 4672. so we can filter that ID with the virus files time.So we will get the compromise time.The answer is 03/02/2019 04:04:49 PM.
Task 11:What tool was used to get Windows passwords?
Answer:If we go to the /tmp folder we can see an executable name mim.exe. Test this and we will find it's mimikatz which is a credential harvester. We can authenticate by checking the mim-out file also which is an output file that mimikatz has gathered.So The answer is mimikatz.
Task 12:What was the attackers external control and command servers IP?
Answer: So first we have to understand that attacker is stealing our information to his IP.So this should be registered in DNS logs or any service that keeps this kind of logs.Go to Local Disk(c:) > Windows > System32 > Drivers > etc > logs . We can see here the IP for googles DNS is not right. The answer is 76.32.97.132.
Task 13:What was the extension name of the shell uploaded via the servers website?
Answer:Go to Local Disk(c:) > inetpub > wwwroot . Here we can see multiple files but if notice there are two files with .jsp extentions and one of them are the imposter.
Task 14:What was the last port the attacker opened?
Answer: Go to the firewall and check inbound rules.We can immediately notice that outside connections are allowed 1337 huh...obviously.So the answer is 1337.
Task 15:Check for DNS poisoning, what site was targeted?
Answer:We have previously seen that it was google.com
nice post
ReplyDelete