Investigating Windows
A windows machine has been hacked. Investigate this windows machine and find clues to what the hacker might have done.
Last updated
A windows machine has been hacked. Investigate this windows machine and find clues to what the hacker might have done.
Last updated
By Jacvbtaylor
While being logged onto the machine, command prompts and shell scripts will randomly appear, particularly every few minutes. This is never a good sign and needs to be investigated immediately. We want to find out what has happened, is happening, and could happen.
In order to remediate, we need to know the full story.
What's the version and year of the windows machine?
Using the systeminfo command, it is apparent that this is a Windows Server 2016.
Which user logged in last?
While there may be a few different was to see the last user that logged on, one of the easiest ways is going to be through the event viewer.
All of the most current logs point to the Administrator. While being logged into this machine as the Admin user, it is important to note that these actions are not mine.
Running the net users command will pinpoint how many users are on the machine. It is important to find out their actions and roles, as well as their legitimacy.
When did John log onto the system last?
After filtering the 2,219 events into 198 events that are registered to Event ID 4624, it will be easy to now pinpoint when John was last logged on.
Using the "Find" option and looking for the string "John", the first log to come up has a couple important things to note. First being the date and time, 03/02/2019 5:48:32 PM, and second being the Computer, EC2AMAZ-I8UHO76.
What IP does the system connect to when it first starts?
As seen in the gif above when the system starts up, there is a command prompt using an executable, p.exe. The exe file shows a path of C:\TMP.
Following this file to the the TMP directory reveals files that appear to have been introduced to the machine on 03/02/2019. The same day John last logged in. Referencing what the command prompt's data stream upon login, we see the IP the system connects to is 10.34.2.3.
As a side note, this IP is not indicated using the netstat -ano command.
What two accounts had administrative privileges (other than the Administrator user)?
To find out which accounts have been attributed Admin privileges, we can use net localgroup Administrators
This command informs us that Jenny and Guest have rights that they probably should not have. It is going to be important to keep an eye on these users through the rest of the investigation.
What's the name of the scheduled task that is malicious?
For this, the Task Scheduler can be used to display all of the scheduled tasks.
The Clean file system task can be seen through the Actions tab to call to C:\TMP\nc.ps1.
What file was the task trying to run daily?
Investigating the nc.ps1 powershell script will reveal this to be a Netcat listener.
Netcat is a networking utility tool in which reads from and writes to network connections. This tool is easily used maliciously for reverse shells and backdoors.
What port did this file listen locally for?
The program is shown to listen on port 1348.
When did Jenny last logon?
Using the command net user Jenny | findstr "Last" reveals that Jenny has never logged in before.
At what date did the compromise take place?
Sticking with the ongoing pattern of 03/02/2019, we can use this date in the Event Viewer to further investigate.
Using the Filter Current Log option, it is easy enough to specify the date we want to investigate.
This will narrow down 2,000+ events to 516. Looking through these logs shows unusual activity, making it easy to declare this date to be the date of compromise.
During the compromise, at what time did Windows first assign special privileges to a new logon?
Right before 03/02/2019 4:04:49 PM Event 4737 & 4781 occur multiple times before we see Event ID 4624, indicating a logon.
What tool was used to get Windows passwords?
Going back to the TMP directory, opening the mim-out.txt file reveals Mimikatz which is the tool that was used by the attacker to get the Windows passwords.
What was the attackers external control and command servers IP?
Looking at the local hosts file, there is an IP address specified at the bottom of the file. This IP can be concluded to be the C2 server address.
What was the extension name of the shell uploaded via the servers website?
Going back to the Local Drive and viewing the modified dates, we can see the inetpub directory.
There are three files resting in the C:\inetpub\wwwroot\ path , 1 GIF and 2 JSP files.
Uploading b.jsp to VirustTotal reveals this to be a malicious file, specifically a JSPRAT.
Looking a little further into this .jsp file: "Riskware/JSPRat is classified as a type of Riskware. Riskware is any potentially unwanted application that is not classified as malware, but may utilize system resources in an undesirable or annoying manner, and/or may pose a security risk." - FortiGuard
What was the last port the attacker opened?
Referring to the Windows Firewall, it shows port 1337 to be the last opened port.
Check for DNS poisoning, what site was targeted?
Viewing the hosts file once more, we see a few examples of DNS poisoning, but the entries for google.com are the most severe.
