Back to Writeups

Investigating Windows Walkthrough

Windows Digital Forensics & Incident Response

Published: September 30, 2025 Difficulty: Easy

Investigating Windows is a digital forensics challenge on TryHackMe that teaches incident response and forensic analysis techniques on Windows systems. Learn to analyze event logs, identify malicious activities, detect credential dumping, and uncover indicators of compromise.

Initial Connection & Setup

RDP Connection to Target

Objective: Connect to the Windows machine for forensic investigation.

Use xfreerdp to establish a remote desktop connection:

xfreerdp /u:<Username> /p:<Password> /v:<Target_IP>

Alternative RDP Clients:

# Using rdesktop
                    rdesktop -u <Username> -p <Password> <Target_IP>

                    # Using Remmina (GUI)
                    remmina

                    # Windows built-in
                    mstsc.exe

Connection Tips:

  • Use full screen mode for better investigation: /f
  • Enable clipboard sharing: /clipboard
  • Adjust resolution: /size:1920x1080

Key Learnings:

Remote desktop access allows forensic investigators to interact with compromised systems while preserving evidence. RDP is commonly used for Windows incident response and forensic analysis.

System Information Analysis

Operating System Identification

Objective: Determine the Windows version and build information.

Access System Information through multiple methods:

Method 1: GUI - System Properties

  1. Right-click "This PC" or "My Computer"
  2. Select "Properties"
  3. Review system information

Method 2: System Information Tool

msinfo32

Method 3: Command Line

systeminfo | findstr /B /C:"OS Name" /C:"OS Version"
🚩 OS Version: Windows Server 2016

Key Learnings:

Identifying the operating system version is crucial for understanding available security features, known vulnerabilities, and appropriate investigation techniques.

User Account Analysis

Objective: Identify user accounts and their group memberships.

Computer Management Investigation:

  1. Open Computer Management: compmgmt.msc
  2. Navigate to "Local Users and Groups"
  3. Click on "Users" to view all accounts
  4. Double-click each user to examine group memberships

Command Line Method:

# List all local users
net user

# Get detailed information about specific user
net user Jenny

Jenny's Account Details:

User name                    Jenny
Full Name                    Jenny
Account active               Yes
Account expires              Never
Password last set            3/2/2019 4:52:25 PM
Password expires             Never
Last logon                   Never
Local Group Memberships      *Administrators       *Users

Suspicious Findings:

🚩 Accounts that are part of the Administrators group: Guest, Jenny
🚩 When was Jenny's password last set? 03/02/2019
🚩 When did Jenny last logon? Never

Analysis:

Jenny is part of the Administrators group but has never logged in, which is highly suspicious. This could indicate a backdoor account created by an attacker.

Key Learnings:

Accounts with administrative privileges that have never been used are red flags during incident response. Guest accounts should typically be disabled and never have administrative rights.

Startup Programs Analysis

Objective: Identify programs configured to run at system startup.

System Information Method:

  1. Open System Information: msinfo32
  2. Expand "Software Environment"
  3. Click on "Startup Programs"
  4. Review the list for suspicious entries

Alternative Methods:

# Task Manager - Startup tab
taskmgr

# Registry locations
reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run
reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Run

# Autoruns (Sysinternals)
autorunsc.exe
🚩 Suspicious startup IP: 10.34.2.3

Key Learnings:

Persistence mechanisms often use startup locations. Malware frequently adds itself to autostart entries to survive reboots.

Windows Event Log Analysis

Security Event Log Investigation

Objective: Analyze Windows Event Logs to identify user activity and security events.

Accessing Event Viewer:

eventvwr.msc

First Administrator Logon Discovery:

  1. Navigate to Windows Logs → Security
  2. Filter for Event ID 4624 (Successful logon)
  3. Sort by date to find earliest logon
  4. Look for Administrator account logons
🚩 When did the first Administrator logon occur? Administrator

John's Activity Timeline:

  1. In Event Viewer, use Find feature (Ctrl+F)
  2. Search for "John" in the security logs
  3. Review matching events for activity patterns
🚩 John's logon event: 03/02/2019 5:48:32 PM

Key Event IDs for Investigation:

  • 4624: Successful logon
  • 4625: Failed logon attempt
  • 4672: Special privileges assigned
  • 4720: User account created
  • 4722: User account enabled
  • 4738: User account changed

Key Learnings:

Windows Event Logs provide a detailed audit trail of system activities. Security logs are crucial for incident response and forensic investigations.

Suspicious Logon Analysis

Objective: Identify anomalous authentication events indicating potential compromise.

A suspicious security log entry was discovered:

Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          3/2/2019 4:04:49 PM
Event ID:      4624
Task Category: Logon
User:          N/A

Logon Information:
  Logon Type:  5
  
New Logon:
  Security ID:  SYSTEM
  Account Name: SYSTEM
  
Process Information:
  Process Name: C:\Windows\System32\services.exe
🚩 Suspicious logon timestamp: 03/02/2019 4:04:49 PM

Logon Type Analysis:

  • Type 2: Interactive (console logon)
  • Type 3: Network (file shares, etc.)
  • Type 5: Service (services starting)
  • Type 7: Unlock (workstation unlocked)
  • Type 10: RemoteInteractive (RDP)

Key Learnings:

Understanding logon types helps differentiate between normal system activity and potential intrusions. Type 5 logons are typically benign service starts, but timing and context matter.

Malware and Persistence Detection

Scheduled Task Analysis

Objective: Identify malicious scheduled tasks used for persistence.

Task Scheduler Investigation:

  1. Open Task Scheduler: taskschd.msc
  2. Navigate to Task Scheduler Library
  3. Review active tasks for suspicious entries
  4. Examine task actions and triggers
🚩 Suspicious scheduled task: Clean File System

Task Details Analysis:

Examining the "Clean File System" task reveals:

  • Action: C:\TMP\nc.ps1 -l 1348
  • Script: nc.ps1 (NetCat PowerShell script)
  • Port: 1348
🚩 Malicious script name: nc.ps1
🚩 Listening port: 1348

Command Line Task Enumeration:

# List all scheduled tasks
schtasks /query /fo LIST /v

# Export task details
schtasks /query /tn "Clean File System" /xml

Key Learnings:

Scheduled tasks are commonly abused for persistence. NetCat scripts in scheduled tasks indicate backdoor access mechanisms. Always verify task legitimacy and examine their actions.

Credential Dumping Detection

Objective: Identify evidence of credential theft tools and extracted passwords.

Navigate to C:\TMP\ directory and discover:

  • mim.exe - Mimikatz executable
  • mim-out.txt - Mimikatz output file

Mimikatz Output Analysis:

mimikatz(powershell) # sekurlsa::logonpasswords

User Name         : Ion
Domain            : Ion-PC
NTLM              : a4a9436b46f7e948b2417435b63d6cac
Password          : MySecretP4ass
🚩 Tool used for credential dumping: mimikatz

Mimikatz Indicators:

  • Executable often named: mim.exe, m64.exe, mimikatz.exe
  • Dumps LSASS process memory
  • Extracts plaintext passwords, NTLM hashes, Kerberos tickets
  • Common commands: sekurlsa::logonpasswords, lsadump::sam

Detection Methods:

# Check for suspicious processes
tasklist | findstr "mim"

# Review process command lines
wmic process get name,commandline | findstr "sekurlsa"

# Check for LSASS access
Get-WinEvent -FilterHashtable @{LogName='Security';ID=4656} | Where-Object {$_.Message -like "*lsass.exe*"}

Key Learnings:

Mimikatz is a powerful post-exploitation tool used by attackers to extract credentials from memory. Its presence indicates a serious compromise requiring immediate incident response.

Web Shell Detection

Objective: Identify malicious web shells planted for persistent remote access.

Investigate the web server directory C:\inetpub\wwwroot\:

03/02/2019  04:37 PM            74,853 b.jsp
03/02/2019  04:37 PM            12,572 shell.gif
03/02/2019  04:37 PM               657 tests.jsp

Web Shell Indicators:

  • Unusual file extensions in webroot (.jsp, .jspx, .aspx)
  • Recently modified files with suspicious names
  • Files uploaded on the same date as suspicious activity
  • Image files with executable code (shell.gif)

Analyzing b.jsp Content:

Examination of b.jsp reveals malicious code patterns:

  • Command execution capabilities
  • File upload/download functions
  • Database access code
  • Obfuscated code sections
🚩 Web shell file extension: .jsp

Web Shell Detection Commands:

# Find recently modified web files
forfiles /P C:\inetpub\wwwroot /S /D +01/01/2019 /C "cmd /c echo @path @fdate"

# Search for suspicious strings in files
findstr /S /I "eval(" C:\inetpub\wwwroot\*
findstr /S /I "cmd.exe" C:\inetpub\wwwroot\*

Key Learnings:

Web shells provide attackers with persistent access to compromised web servers. JSP files on Windows servers (typically running IIS) suggest Tomcat or similar Java application servers are present.

Network Forensics & IOCs

HOSTS File Analysis

Objective: Identify DNS hijacking and malicious redirections.

Examine the Windows HOSTS file at C:\Windows\System32\drivers\etc\hosts:

10.2.2.2        update.microsoft.com 
127.0.0.1       www.virustotal.com 
127.0.0.1       www.www.com 
127.0.0.1       dci.sophosupd.com 
76.32.97.132    google.com
76.32.97.132    www.google.com

Suspicious Entries Identified:

  • update.microsoft.com redirected to 10.2.2.2 (blocks updates)
  • www.virustotal.com redirected to localhost (prevents malware scanning)
  • dci.sophosupd.com redirected to localhost (blocks antivirus updates)
  • google.com redirected to 76.32.97.132 (potential phishing)
🚩 Malicious IP redirecting Google: 76.32.97.132

HOSTS File Hijacking Impact:

  • Prevents Windows updates and security patches
  • Blocks access to security tools (VirusTotal, Sophos)
  • Redirects legitimate traffic to attacker infrastructure
  • Enables man-in-the-middle attacks

Key Learnings:

HOSTS file modification is a common malware persistence and defense evasion technique. Attackers use it to block security updates and redirect traffic to malicious servers.

Firewall Rule Analysis

Objective: Identify malicious firewall rules allowing unauthorized access.

Windows Firewall Investigation:

  1. Open Windows Firewall with Advanced Security: wf.msc
  2. Navigate to Inbound Rules
  3. Look for suspicious custom rules
  4. Examine rule details for ports and programs

Suspicious Rule Found:

Rule Name: "Allow outside connections for developer"

  • Action: Allow
  • Direction: Inbound
  • Port: 1337
  • Protocol: TCP
🚩 Malicious firewall rule port: 1337

Command Line Firewall Enumeration:

# List all firewall rules
netsh advfirewall firewall show rule name=all

# Export firewall configuration
netsh advfirewall export "C:\firewall-backup.wfw"

# Check specific port
netsh advfirewall firewall show rule name=all | findstr "1337"

Key Learnings:

Attackers create firewall rules to ensure their backdoors remain accessible. Port 1337 is a well-known "leet speak" port often used by hackers. Legitimate developer access should use standard ports and proper authentication.

DNS Cache Analysis

Objective: Examine DNS resolution history for indicators of compromise.

Display the DNS resolver cache:

ipconfig /displaydns

DNS Cache Analysis:

The DNS cache reveals recent domain resolutions, including:

🚩 Suspicious domain in DNS cache: google.com

Cross-referencing with HOSTS file shows google.com was redirected to 76.32.97.132, indicating DNS hijacking was active.

Additional DNS Forensics Commands:

# Clear DNS cache (for remediation)
ipconfig /flushdns

# Check DNS server configuration
ipconfig /all | findstr "DNS"

# View DNS client events
Get-WinEvent -LogName "Microsoft-Windows-DNS-Client/Operational" -MaxEvents 100

Key Learnings:

DNS cache analysis can reveal communication with command and control servers, phishing domains, or evidence of DNS hijacking. Combined with HOSTS file analysis, it provides a complete picture of DNS-based attacks.

Investigation Summary

Complete Incident Timeline

Attack Chain Reconstruction:

  1. Initial Compromise (Before 03/02/2019 4:04:49 PM): Attacker gained initial access
  2. Persistence Establishment: Created backdoor account (Jenny), modified HOSTS file
  3. Credential Theft (03/02/2019): Used Mimikatz to dump credentials
  4. Web Shell Deployment (03/02/2019 4:37 PM): Planted JSP web shells
  5. Defense Evasion: Added firewall rules, blocked security sites, created scheduled tasks

All Flags Discovered:

System Information:
• OS Version: Windows Server 2016
• Startup IP: 10.34.2.3

User Account Analysis:
• First Admin logon: Administrator
• Admin group members: Guest, Jenny
• Jenny password set: 03/02/2019
• Jenny last logon: Never

Event Log Findings:
• John's logon: 03/02/2019 5:48:32 PM
• Suspicious logon: 03/02/2019 4:04:49 PM

Malware & Persistence:
• Scheduled task: Clean File System
• Malicious script: nc.ps1
• Listening port: 1348
• Credential tool: mimikatz
• Web shell extension: .jsp

Network IOCs:
• Malicious Google IP: 76.32.97.132
• Firewall rule port: 1337
• DNS cache entry: google.com

Indicators of Compromise (IOCs):

  • Files: C:\TMP\nc.ps1, C:\TMP\mim.exe, C:\inetpub\wwwroot\b.jsp
  • Registry: Scheduled task "Clean File System"
  • Network: Port 1337 and 1348 listeners
  • Accounts: Suspicious user "Jenny" with admin rights
  • HOSTS: Multiple malicious redirections

Technical Skills Demonstrated:

  • Windows Event Log analysis and correlation
  • User account and privilege enumeration
  • Scheduled task forensics
  • Credential dumping tool identification
  • Web shell detection and analysis
  • HOSTS file forensics
  • Firewall rule analysis
  • DNS cache investigation
  • Timeline reconstruction

Incident Response Actions Required:

  • Immediate:
    • Isolate affected system from network
    • Disable Jenny account
    • Kill malicious processes and scheduled tasks
    • Block malicious IPs at firewall
  • Short-term:
    • Remove web shells from IIS directories
    • Restore clean HOSTS file
    • Remove malicious firewall rules
    • Force password reset for all users
  • Long-term:
    • Full malware scan and system rebuild
    • Review all administrative accounts
    • Implement enhanced monitoring
    • Patch management and security hardening

Lessons Learned:

  • Regular auditing of administrative accounts prevents backdoor persistence
  • HOSTS file monitoring detects DNS hijacking attempts
  • Scheduled task review identifies malicious persistence mechanisms
  • Web application directories require continuous monitoring
  • Firewall rule audits prevent unauthorized access
  • Event log analysis provides crucial timeline information