TryHackMe: Investigating Windows w/ PowerShell

Investigation Windows w/ PowerShell

In this writeup, I have tried to solve all the question in the Investigating Windows room on TryHackMe.com.

systeminfo
PS C:\Users\Administrator> Get-WinEvent -Computer $env:COMPUTERNAME -FilterHashtable @{Logname='Security';ID=4624} | select @{N='User'; E={$_.Properties[1].Value}}, TimeCreated
PS C:\Users\Administrator> Get-WinEvent -Computer $env:COMPUTERNAME -FilterHashtable @{Logname='Security';ID=4672} | where {$_.Properties[1].Value -notmatch "SYSTEM|Guest"} | select @{N='User'; E={$_.Properties[1].Value}}, TimeCreated
net user john
Get-Item "Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
net localgroup administrators
  • From this list, at the beginning itself we can find an odd process which is our answer.
  • But this does not provide us with the actions that are being performed by the scheduled task. To get that information, we can use the command: Get-ScheduledTask -TaskName "<scheduled_task_name>" | Select *
  • This query provides all the details of the scheduled task but again not the exact thing that is the command being executed by the task.
  • To get the details of the action that are being performed by the scheduled task, the command that can be used is: (Get-ScheduledTask -TaskName "<scheduled_task_name>").Actions
PS C:\Users\Administrator> cd ..\
PS C:\Users> cd ..\
PS C:\> cd TMP
PS C:\TMP> dir

Directory: C:\TMP
Mode LastWriteTime Length Name
— — — — — — — — — — — — — —
-a — — 3/2/2019 4:37 PM 9673 d.txt
-a — — 3/2/2019 4:37 PM 3389 mim-out.txt
-a — — 3/2/2019 4:37 PM 663552 mim.exe
-a — — 3/2/2019 4:45 PM 176148 moutput.tmp
-a — — 3/2/2019 4:37 PM 36864 nbtscan.exe
-a — — 3/2/2019 4:37 PM 37640 nc.ps1
-a — — 3/2/2019 4:37 PM 381816 p.exe
-a — — 3/2/2019 4:46 PM 0 scan1.tmp
-a — — 3/2/2019 4:46 PM 0 scan2.tmp
-a — — 3/2/2019 4:46 PM 0 scan3.tmp
-a — — 3/2/2019 4:37 PM 7022 schtasks-backdoor.ps1
-a — — 3/2/2019 4:45 PM 40464394 somethingwindows.dmp
-a — — 3/2/2019 4:46 PM 11950 sys.txt
-a — — 3/2/2019 4:37 PM 19998 WMIBackdoor.ps1
-a — — 3/2/2019 4:37 PM 843776 xCmd.exe
PS C:\Users\Administrator> Get-EventLog -LogName Security -After 3/2/2019 -InstanceId 4672 | where {$_.Message -notmatch "SYSTEM"} | select *
PS C:\TMP> .\mim-out.txt
PS C:\> Get-ChildItem -Path C:\ -Include hosts -Recurse


Directory: C:\Windows\System32\drivers\etc


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/2/2019 5:31 PM 1236 hosts
PS C:\> cd C:\inetpub\wwwroot
PS C:\inetpub\wwwroot> dir


Directory: C:\inetpub\wwwroot


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/2/2019 4:37 PM 74853 b.jsp
-a---- 3/2/2019 4:37 PM 12572 shell.gif
-a---- 3/2/2019 4:37 PM 657 tests.jsp
PS C:\\Windows> Get-NetFirewallRule -Direction Inbound | select DisplayName, DisplayGroup, @{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}

References:

  1. TryHackMe-Investigating Windows: https://tryhackme.com/room/investigatingwindows
  2. Event ID 4624: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4624
  3. Event ID 4672: https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4672

Just another CyberSec Guy