Investigating Windows

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"

net user

net user john

net user john | findstr "last"

Get-LocalUser | Select Name,Lastlogon

RegEdit

RegEdit Search net user To Find the IP the system first connect to when boots up!

For Admin Priviledges, net user on all users

Event Viewer then security an spot something like this ...TMP\p.exe -s \\

Open Scheduler App, Scroll Down To Tasks starts with clean

Click on the found file above look for the General, Triggers then Actions in Schedule menu

Here we find the Answers to Questions whta the name of the scheduled task that is malicious

Again, Back to task scheduler, task schedular Library we find the task to run daily!

Again, here we Find the PORT this file listen to locally the TMP\p.exe -s \\

Net user Jenny

Think!, when did the file first run ?

Again, Inside the Task Scheduler, theres a task called GAME OVER, click on it don't worry it will show us the tool used to crack the passowrds

Go to Registry regedit, locate net user this will reveal the external control and command servers IP!

locate the etc/hosts for windows with C:\Windows\System32\drivers\etc\hosts

Here you get answers to shell uploaded via the servers website, last port opened and DNS poisoning

?????????????? ???THANK YOU!!!!

#Forensics #investigatingwindows #learning #online #practice

@tryhackme