DEV Community

loading...

Investigations in Windows on TryHackMe (1)

christalib profile image chris ・4 min read

I've been talking about Windows investigation last time with EVTX. Since then, I've been reading about investigations in Windows environment and warming up my Powershell.

On TryHackMe, there are a 3 "Investigating Windows" boxes (one, two, three ) and I thought it could be cool to go there. Those notes are more notes taken during the investigation than a write up. There are write ups online for the first box but they just give you the answer which really doesn't help you at all.

Information gathering

The first questions are about quick gathering of information, I've updated the commands used in my field manual.

A quick triage can be done with those common commands used in local reconnaissance:

hostname
systeminfo
systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
Enter fullscreen mode Exit fullscreen mode

Then go gather information about users and their login time:

net users
net localgroup users
net localgroup administrators
net user <NAME> | findstr /B /C:"Last logon"
Enter fullscreen mode Exit fullscreen mode

And some powershell magic for the latter part:

ForEach ($user in Get-LocalUser) {echo $user.Name $user.Lastlogon}
Enter fullscreen mode Exit fullscreen mode

It is also possible to look in the Event Viewer and search manually for those login information. I did it, it awfully slow, too much noise and prone to errors. The Event Viewer is a really strong and powerful tool, but as long as you look for really quick information, Powershell seems to be enough.

The next step, as it is to look for scheduled tasks that could link to persistence of some malwares.

You can open the task scheduler manager (check this link for some information on how to use it in forensics) or try to go through the command line:

Get-ScheduledTask

# in the first box there are a bunch of suspicious files in "\"

Get-ScheduledTask -TaskPath "\"
Get-ScheduledTask -TaskPath "<NAME>" | Get-ScheduledTaskInfo

# check what kind of actions is ran for each task to find malicious scripts:

Get-ScheduledTask -TaskPath "\" | Select-Object -Property TaskName -ExpandProperty Actions
Enter fullscreen mode Exit fullscreen mode

You should also look into AutoRuns at startup:

Get-CimInstance Win32_StartupCommand | Select-Object name, command, location, user | Format-List
Enter fullscreen mode Exit fullscreen mode

Attack context

Now, you should have a general overview of the attack on those machines. Writing notes really helped me remembering the steps and from now I will do it each time. It's of utmost important to be really attentive to each details you see and try to get in the head of the attacker. Especially not to loose yourself in a rabbit hole of logs.

You should have a general idea of the system you are in, the amount and levels of users, a potential time of infection and which user was breached. The scheduled tasks found are persistence. Check this files as well as the other files in that directory to answer further questions. You have a potential: what, when and how.

You can look into logs with Get-EventLogs (check that documentation, it rocks) and the information you gathered so far. I did the exercise again and I found it really hard to get there again without notes. I had to redo the entire thought process and it was quite painful. Especially as the first time, I got lucky and the second I got lost in the rabbit hole.

From my beginner understanding, you should look for a specific pattern with your first clues and not just "something suspicious". Those are simple exercises and it's already easy to get lost in there.

# Check the available logs

Get-Eventlogs -List

Get-EventLog -LogName "Security" -After "MM/DD/YYYY HH:MM:SS" -Before "MM/DD/YYYY HH:MM:SS" -Message "*Special*"
Get-EventLog -LogName "Security" -After "MM/DD/YYYY HH:MM:SS" -Before "MM/DD/YYYY HH:MM:SS" -InstanceId 4672 | Format-List
Enter fullscreen mode Exit fullscreen mode

Event ID 4672 is: special privileges assigned to new logon.

For network, check the host file:

Get-Content $env:SystemRoot\System32\Drivers\etc\hosts
Enter fullscreen mode Exit fullscreen mode

You can look with netsh and netstat for more information, but here it isn't useful so I won't get more into those.

Registry keys

The Windows Registry is a hierarchical database of system configuration. You will find there "keys" that set up the configuration. As here there is a user compromise, you might try to look for "HKCU" (HKEY_CURRENT_USER) for modifications.

You can filter the events like to those keys with the Process Monitor.

Windows Management Instrumentation (WMI)

WMI "consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification." (Wikipedia)

I am so far not really familiar with those. But you can monitor those processes with this and that.

And for these exercises it should do the trick.

First stop

Ok, so far, you've conducted most of the investigation and I think those resources will help you answer the majority of questions.

For the Yara and Loki questions, you might want to refer to the Yara Room. It isn't too hard and most of the information are there.

I tried to understand each of those tools or at least, feel comfortable in searching and working with those. I will be looking for automation scripts or write my own in the future.

I hope you enjoyed these notes and I'll get to the 3rd box right away!

Discussion (0)

pic
Editor guide