Investigating Windows - TryHackMe Walkthrough

Introduction:- A windows machine has been hacked, its your job to go investigate this windows machine and find clues to what the hacker might have done. Chapters:- 0:00 - Room Introduction 3:26 - Event Viewer - Security Log Forensics 6:45 - Net Users - User Enumeration 7:33 - Investigation Tools - ProcExp,Autoruns and TcpView 9:17 - Process Explorer - Process Forensics 10:42 - Autoruns - Windows Persistence Investigation 16:27 - Task Scheduler - Investigation of Scheduled Entries 23:18 - Process Explorer - CommandLine Forensics 24:18 - Mimikatz - Log Analysis File 25:57 - Hosts File - DNS CachePoisoning Check 27:16 - WebShell - JSP based Reverse Shell 28:33 - Windows Firewall - Log Analysis 29:31 - DNS poisoning Topics Covered:- Event viewer log examination to check for logons and special privileges Windows Command Line Forensics Attackers artifacts and Indicators of compromise in inetpub folder, event logs, scheduled tasks and /etc/hosts file Tools Visualized:- #Mimikatz #rdp #Process_Explorer #Autoruns #TcpView #DnsPoisoning #EventViewer #net_User #netcat #winver Room Link:- https://tryhackme.com/room/investigatingwindows