Your Trusted Cyber Guide

How to Investigate a Compromised Windows Machine (Tryhackme Writeup)

How to Investigate a Compromised Windows Machine (Tryhackme Writeup)

A windows machine has been hacked, and your job is to go investigate this windows machine and find clues to what the hacker might have done.

Bablu Kumar's photo
Bablu Kumar
·

3 min read

In this post, I share my thought process, tips & tricks, and methodology behind investigating a compromised Windows machine.

Head over to this TryHackMe URL and deploy this compromised machine: tryhackme.com/room/investigatingwindows

The real fun begins by answering these following questions:-)

Question 1. What's the version and year of the windows machine?

Answer: Well, I feel this question isn't very clear. At first, I thought of the version number plus year, but quickly realized when it didn't accept the answer. The actual answer is Windows Server 2016

Anyway, here are some possible methods to find the answer:

Method 1: Press Win+R > winver: Screenshot 2021-02-17 103815.png

Method 2: You can find similar information and more in the Settings > About: Screenshot 2021-02-17 104541.png

Method 3: Control Panel > System and Security > System

Screenshot 2021-02-17 105028.png

Question 2: Which user logged in last?

Answer: This is an interesting question. I spent some time learning how to find the last logon user. One way you can find this information through Windows Event Viewer. In the “Event Viewer” window, in the left-hand pane, navigate to the Windows Logs > Security. And, look for events with the Event ID 4624—these represent successful login events.

Screenshot 2021-02-17 115658.png

Helpful resources:

  1. howtogeek.com/124313/how-to-see-who-logged-..

Question 3: When did John log onto the system last?

Answer: Type net user john in the CMD, and there you go:

Screenshot 2021-02-17 120914.png

You can also filter down a little bit using net user username | findstr "Last logon" That said, you need to keep in mind one thing that is the answer format.

Helpful resource:

  1. windows-commandline.com/last-logon-time-of-..

Question 4: What IP does the system connect to when it first starts?

Answer: To answer this, you need to be a bit quicker when starting up the system. You can get the IP address appearing on the CMD line. (I had to restart the Windows machine to find the IP address.)

Question 5: What two accounts had administrative privileges (other than the Administrator user)?

Answer: guest jenny

Screenshot 2021-02-17 123909.png

You can further check for their privileges using CMD: net user (accountname)

Screenshot 2021-02-17 124527.png

I will add more questions and their answer as I proceed:-)

#cybersecuritySecurity