THM — Investigating Windows

My notes on THM Room.

Whats the version and year of the windows machine?

Host Name:                 EC2AMAZ-I8UHO76
OS Name: Microsoft Windows Server 2016 Datacenter

Which user logged in last?

The last logged in user can be found with net user

User accounts for \\EC2AMAZ-I8UHO76
Administrator DefaultAccount Guest
Jenny John
The command completed successfully.

When did John log onto the system last?

We can use the net user command to search for information on users.

Password last set            3/2/2019 5:48:19 PM
Password expires Never
Password changeable 3/2/2019 5:48:19 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 3/2/2019 5:48:32 PM
Logon hours allowed AllLocal Group Memberships *Users
Global Group memberships *None
The command completed successfully.

What IP does the system connect to when it first starts?

When the VM first starts up, the connection to the IP is seen.

Another area we can check is where the registry keys are stored. We can check in HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > Run. This specific path shows us what the VM does when it starts up.

What two accounts had administrative privileges (other than the Administrator user)?

We can check privileges within the Computer Management program. Checking the properties and the Member of we can see which users have administrative privileges.

Whats the name of the scheduled task that is malicous

Clean File System (shown below in screenshot)

What file was the task trying to run daily?

What port did this file listen locally for?

Port 1348

When did Jenny last logon?


At what date did the compromise take place?

Searching for the file directory path found in previous screenshots, we can see that the compromise occured at 03/02/2019.

At what time did Windows first assign special privileges to a new logon?


What tool was used to get Windows passwords?

What was the attackers external control and command servers IP?

We can check our hosts file. Located at C:\Windows\System32\drivers\etc\hosts

What was the extension name of the shell uploaded via the servers website?

Another directory created at the same time as TMP can be found at C:\. Checking this directory we find the shell used to upload to the web server.

What was the last port the attacker opened?

Port 1337. Checking the Firewall Inbound Rules we find a rule that looks strange.

Check for DNS poisoning, what site was targeted?

From the screenshot from the Hosts file, we see that was used for DNS Poisoning.

cyber enthusiast