2022-05-07_Lab 15 - Investigating Windows - Cyber_Security

Week 15 Lab

image

  1. What’s the version and year of the windows machine?

image

Answer: Windows Server 2016

  1. Which user logged in last!

image

Answer: Administrator

  1. When did John log onto the system last?

image

Answer: 03/02/2019 5:48:32 PM

I ran “regedit” to navigate to the UpdateSvc file located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run

image

  1. What IP does the system connect to when it first starts!

image

Answer: 10.34.2.3

Using the navigation through Control Panel> System and Security> Administrative Tools> Computer Management

image

I found the two accounts the also had administrative privileges: Local Users and Groups> Groups> Administrators :

image

  1. What two accounts had administrative privileges (other than the Administrator user)!

image

Answer: Jenny, Guest

  1. What’s the name of the scheduled task that is malicious? Answer: Clean file system

  2. What File was the task trying to run daily? Answer: nc.ps1

  3. What port did this file listen locally for? Answer: 1348

Using the “net user Jenny” command in cmd.exe, I found that she never logged on.

image

  1. When did Jenny last logon: Answer: never

  2. At what date did the compromise take place? Answer: 03/02/2019

  3. At what time did Windows first assign special privileges to a new logon? Answer: 03/02/2019 4:04:49 PM

After looking up the Task that was running I found that the event “GameOver” was running through a “mim.exe” file.

image

I was not too familiar with the application “mim.exe” so I looked it up and found some useful info in this site: https://www.joesandbox.com/analysis/219878/0/html

image

  1. What tool was used to get Windows Passwords? Answer: Mimikatz

  2. What was the attacker’s external control and command servers IP? 76.32.97.132

I was able to find this info in C:\inetpub\wwwroot

image

  1. What was the extension name of the shell uploaded via the server’s website? Answer: .jsp

Windows Firewall with Advanced Security stores all Inbound Rules:

image

  1. What was the last port the attacker opened! Answer: 1337

I was able to find this info in C:\Windows\System32\drivers\etc\hosts

image

  1. Check for DNS poisoning, what site was targeted: Answer: google.com
Written on May 7, 2022