cybportdal - windows investigation

Windows Investigation

Scenario

A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done.

Introduction

Windows systems are often the primary target in cyber attacks, making proper investigation essential. My work involves analyzing event logs, registry changes, user activity, and system artifacts to uncover traces of malicious behavior. By reconstructing attacker actions and identifying persistence methods, I help detect compromises early and strengthen overall system defenses.

Methodology

Step 1: Check user's activity.

We need to identify who were the last to log into the machine and know which activities to trace.

figure 1: First run our windows powershell as administrator

figure 2: Find users who last logged in as administrator.

NB: We have the Administrator, Guest and Jenny.

figure 3: Admin login activity

NB: We realise that the last time the admin logged in was on the 9/22/2025 1:19:19 AM

figure 4: John log in activity

NB: We realise that the last time the John logged in was on the 3/2/2019 5:48:32 PM

The reason why we only verify John's activity's and Administrator's activities is because they were the last to logged into the system (Didn't take the screenshot). To do this, you use the command

net user

This will display all the users that first logged in. In this case, John was the one who last logged in and we'll be checking his activities further.

Step 2: Identifying Scheduled task that's malicious

figure 5: Checking Scheduled file (using task scheduler)

NB: The scheduled file that seemed malicious is 'Clean File System' as it contains a PowerShell file (nc.ps1) that listens to port 1348

figure 6: Find the tool used to collect windows passwords from the system.

NB: Locate the malicious file location and from there, you'll spot a mimikatz executable file (that's the file that was scheduled to run on the system).

figure 7: Checking for any DNS poisoning

NB: To locate the file, you'll go to LocalDisk(C:) > Windows > system32 > drivers > etc > hosts

figure 8: Checking for any DNS poisoning

NB: We realise that google.com was targeted in this case

Conclusion

The investigation confirmed that the Windows system was compromised through the execution of a malicious file, which enabled the attacker to perform unauthorized activities. Evidence of persistence techniques, suspicious user activity, and system modifications were observed, highlighting the risks of data exposure and system instability.

Based on these findings, I recommend immediate removal of the malicious artifacts, resetting affected credentials, reviewing account privileges, and implementing stricter monitoring through logs and endpoint detection tools. Strengthening patch management and user awareness can also help reduce the risk of similar compromises in the future.