https://tryhackme.com/room/investigatingwindows

•  I do not provide any answers.


•  To connect to tryhackme virtual machines go here: https://tryhackme.com/access


•  If the directions are written clearly in the task description, then I will skip that question.


•  Basically, if you are stuck then check this writeup.

Task 1: 
connect to windows vm using remmina on a kali linux vm

Question 1:
open CMD and enter: systeminfo

Question 2:
on CMD enter: net user
enter: net user administrator
enter: net user john
compare the login dates

Question 3:
look at information from: net user john

Question 4:
you see the IP in a CMD window when starting up
or
open regedit and navigate to: HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run

Run makes a program run after a user logs on as per https://docs.microsoft.com/en-us/windows/win32/com/hkey-local-machine-software-microsoft-windows-nt-currentversion

Question 5:
open Computer Management 
click on Local User & Groups and inspect each user to see what they are a part of

Question 6:
open server manager
click on tools on the right hand side and open task scheduler
click on Task scheduler library in the tree
find the task that says one thing but does something else (hint: runs a suspicious powershell script)
notice what the action is "nc.ps1 -l 1348" and you'll realize that this looks like a netcat command listening on port 1348

Question 7:
answer is found in previous question

Question 8:
you've done this before

Question 9:
Look at the tasks scheduled again and you'll find the other malicious task which is quite obvious
examine its action and notice the exe which is an indicator that its part of a mimikatz attack.
you can find the date there

Question 10:
Windows uses a special Event ID for special logons: 4672

https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4672 
Open Event Viewer and go to Security in the tree and filter on event id 4672
Becuase there are thousands of events using that ID we must filter further
Remember the date that the malicious mim.exe task was scheduled on and use that as a filter
The privilege escalation had to have happened before or on that date.
You should be able to narrow it down to around 67 events if you are lost.
I am not exactly sure how the author distinguished which exact event because there are a few with the exact same details around the time of the specific answer so use the hint to get the exact one.

Question 11:
Look at the output txt file in the directory that the malicious scheduled task utilizes

Question 12:
you can find this answer in the hosts file where hackers usually post their c2 server IP

Question 13:
Check the C: drive for the wwwroot folder
Windows machines usually use the built in webserver called IIS which is located in C: drive

Question 14:
You have to look at the firewall here
Look at inbound rules and find the last one added

Question 15:
Again look at the hosts file
you'll find which domain is being sent to the IP of the c2 server