Windows Server 2016
Run systeminfo
in cmd and you can find this information, however, you will only need the OS Name paramaters.
Administrator
Open Event Viewer and go to Windows Logs > Security > "Filter Current Log" Set the event ID for 4624 so we can see successful logins and go the the most recent entry that matches a user logon.
03/02/2019 5:48:32 PM
You can sift through the event logs until you find the log where user John has logged in or alternatively you can open a command prompt and run net user john
to find the information
10.34.2.3
As this is connecting every time the machine starts we need to look in the Run registry. The Run registry runs a specified item each time a machine boots up, the RunOnce will run the item once and then delete the key. This registry key can be found at HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
jenny, guest
If we run net user
we can see the user listed on the domain, running the command on each user we can enumerate what permissions they have.
Clean file system
If we open Task Scheduler we can see there are some suspicious tasks in there however one that sticks out is Clean File System as it is running nc.ps1 or a netcat listener on port 1348.
nc.ps1
Can be found in the Actions tab, look at Q6 screenshot
1348
Can be found in the Actions tab, look at Q6 screenshot
Never
Running net user Jenny
you will be able to find the information
03/02/2019
As Task Scheduler history has been disabled and there are no logs in event viewer for when these tasks were created we can reference back to the accounts that were utilised and made from this compromise. If we look at Guest, Jenny and Johnny all the accounts were made on the same day. That is the date we are looking for.
03/02/2019 4:04:49 PM
I had to use the hint for this one and am unsure why this is the answer as there are successful logs before this one.
mimikatz
Going back to Task Scheduler we can see a program is running called mim.exe from the /TMP/ directory, if we go to that directory we can find all the files relating to the malicious program. Opening the text file mim-out will show as the program being used.
76.32.97.132
The hosts file is a plain text file used to map host names to IP addresses. On Windows, it is located in C:\Windows\System32\drivers\etc
If we go there we can see the attackers have added in their own IP address and mapped it to google.com
.jsp
Inetpub is the folder on a computer that is the default folder for Microsoft Internet Information Services (IIS). The website content and web apps are stored in the inetpub folder — which keeps it organized and secure. This computer had an exposed IIS server running and the shell got uploaded to it there, that is why it is stored in this folder.
1337
If we navigate to the windows firewall and check the inbound rules we can see the latest rule that was added which was to allow all outside connections coming in from port 1337.
google.com
Going back to the hosts file the attackers mapped their ip address to google.com domain