Room Banner

Compromised Windows Analysis

Learn about some key forensic artifacts and solve an interesting case of a compromised Windows workstation.

easy

75 min

Room progress ( 0% )

To access material, start machines and answer questions login.

Task 1Introduction

A cyber incident is any malicious and unauthorized activity compromising systems or data’s confidentiality, integrity, or availability. The vast figures of Windows OS usage in desktop computers and laptops worldwide draw our attention to Windows forensics and incident response. Conducting detailed Windows forensics to analyze an incident’s root cause is always exciting and full of learning.

Case

TKM is a tech startup with a few employees, including a junior security engineer, Joe. He ensures the company’s security remains intact. On the 29th of March, 2025, Joe observed some suspicious traffic (SSH Connections) to a malicious IP address from one of the employee’s (Aashir) host. Joe also observed that the connection attempts repeated after precisely one minute and were refused every time. Joe blocks the IP over the network and contains the host immediately. After conducting the initial investigation, Joe found that Aashir was unaware of this connection and observed a prompt on the screen after every minute. Aashir also found the built-in antivirus, Windows Defender, turned off.

TKM wants us to investigate Aashir’s workstation in detail and analyze the root cause of the subject activity. 

Learning Objectives

In this room, we will dive into the investigation of the victim’s compromised Windows OS. Following are the learning objectives you would take away after the completion of this room:

  • Analyzing attacker’s footprints for root cause analysis
  • Investigating the persistence of attack
  • Gathering evidence of any malicious file execution
  • Windows event logs analysis for intrusion & defense evasion
  • Building a timeline analysis of the attack

Note: The following are prerequisite rooms that you should visit before solving this room:

Answer the questions below
What is the user's name whose system generated suspicious SSH traffic to a malicious IP?

Investigating with Windows Utilities

Windows OS possesses some key artifacts that prove handy during any forensic investigation. Windows introduced these utilities to enhance the system’s efficiency, but they are also very helpful in Forensic Investigations. We will also utilize some of Eric Zimmerman’s tools during the root cause analysis. This Eric Zimmerman's arsenal of tools are great for digital forensics and incident response cases.

Let’s analyze the artifacts in detail and answer some questions at the end of each task.

Lab Setup

First, let’s start the Virtual Machine by pressing the Start Machine button given below. The machine will start in Split-Screen view.

If the VM is not visible, use the blue Show Split View button at the top of the page. You can also connect with the machine via VPN using the RDP credentials below.

THM Key Credentials
Username Administrator
Password compromise@333
IP MACHINE_IP
Answer the questions below
You are good to go!

Timeline Explorer is a tool by Eric Zimmerman that allows you to view CSV files easily. It has several cool features that allow filters to be applied to the CSV to extract essential data. It is important to set up this tool before starting the investigation. Following are the guidelines for the tool’s usage in the given machine:

Open the tool Timeline Explorer by double-clicking it from the directory C:\Users\Administrator\Desktop\Forensics Tools\TimelineExplorer. The artifacts analyzed in the upcoming tasks will mainly generate CSV files. We will import all our CSV files into this tool to better visualize the parsed results.

Note: The tool will take between 1-3 minutes to open up.

Timeline Explorer tool.

Answer the questions below
Which tool makes it easier to analyze CSV files?

Scheduled Tasks

If you want to perform various tasks automatically after a specific time interval instead of manually performing them repeatedly, you can schedule them. In Windows, this can be done by creating a scheduled task and configuring your file inside. As a forensic investigator, this is one of the crucial artifacts while analyzing a compromised Windows OS because threat actors often use this utility to create a backdoor to stay persistent.

Clock representing the scheduling of tasks.

Utilizing Scheduled Tasks in the Case

As per the scenario, the victim observed a prompt on his system’s screen after every minute, which means it may be scheduled to execute. Let’s review the machine’s scheduled tasks for this.

To view the scheduled tasks in the system, type Task Scheduler in the search bar.

Below is the screenshot showing the compromised host’s scheduled task, which the attacker created to connect to the malicious command and control via SSH at regular intervals. We can see that the malicious task was created at 10:29.

Attacker's scheduled task in the Task Scheduler application.

Another way to view the Scheduled tasks is by traversing to the directory C:\Windows\System32\Tasks as shown below:

Attacker's scheduled task in the directory where these tasks are located.

Answer the questions below

What is the name of the scheduled task created by the attacker?

What is the IP of the malicious server to which SSH requests are made?

LNK Files

LNK files are like bookmarks that help you pinpoint a specific page. In terms of the Windows OS, these are shortcuts to the original files. You just need to click the particular LNK file without navigating to its actual path. It is an easy way to access your favorite programs, files, or folders with a click. In analyzing a compromised Windows OS, LNK files serve as a valuable artifact while searching for the attacker’s footprints. LNK files give information on the recently accessed files/folders.

LNK file image.

Utilizing LNK in the Case

Considering the time of the scheduled task 10:29 that we saw in the previous task, let’s try to extract the recently accessed files during that time.

Move to the following LNK files directory: C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent Items. The following screenshot shows the LNK of a RAR file created just a few minutes before the scheduled task.

LNK files directory.

After searching the whole system for this file, we found it nowhere. It seems to have been deleted.

Parsing LNK Files

We have Eric Zimmerman’s tool, LECmd, which will help us parse this LNK file. Let’s see what we can get from there.

Open CMD with Admin privilege and type the following command to move to the tool’s directory:

cd "C:\Users\Administrator\Desktop\Forensics Tools\LECmd"

Now, enter the following command to execute the tool:

.\LECmd.exe -d C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent --csvf Parsed-LNK.csv --csv C:\Users\Administrator\Desktop

LECmd execution in the command prompt.

This command will parse the LNK files and save the results in CSV format on the Desktop.

Drag and drop the Excel file Parsed-LNK.csv created on the Desktop into the Timeline Explorer tool. In the screenshot below, the RAR file was accessed at 10:27 (2 minutes before the scheduled task was created). We can also see the name of the RAR file along with the file creation time (Target Created Column) and the LNK creation time (Source Created Column) in the screenshot below.

Parsed LNK file in the Timeline Explorer tool.

Answer the questions below

What is the name of the RAR file created during the attack?

When was the RAR file created in the system? Format YYYY-MM-DD HH:MM:SS

Prefetch Files

Prefetch files are part of the Windows operating system that keeps track of your file execution activities. Windows uses this feature for performance optimization. Whenever you execute a file, Windows creates a prefetch file for it and remembers how it was opened and what activity it performed. This helps the operating system load these programs faster the next time you want to open them.

In incident response, these files play a vital role during the investigation because they help investigators find the details of any suspicious or malicious programs executed.

Utilizing Prefetch Files in the Case

In the previous task, we saw the RAR file's creation time in the LNK, which means the malicious executable may be inside it. We will parse the contents of prefetch files to find the execution details of this file.

Parsing Prefetch Files

We will utilize Eric Zimmerman’s tool PECmd to parse the prefetch files.

Open CMD with Admin privilege and type the following command to move to the tool’s directory: cd "C:\Users\Administrator\Desktop\Forensics Tools\PECmd"

Now, enter the following to execute the tool:

.\PECmd.exe -d "C:\Windows\Prefetch" --csv C:\Users\Administrator\Desktop --csvf Prefetch-Parsed.csv

This command will parse the prefetch Files and save the results in CSV format on the Desktop.

PECmd tool execution in the command prompt.

Now, let's start viewing the executions just after the RAR file access time we saw in the LNK. The screenshot below shows that a file was executed after the RAR file was accessed. We can also see the name of the executable file (Executable Name Column), the file execution time (Source Modified Column), and the count of execution (Run Count Column). It also shows the last run time (Last Run) of the file.

Parsed prefetch files in the Timeline Explorer tool.

Note: Prefetch files are not enabled by default in Windows Server OS versions.

Answer the questions below

What is the name of the malicious executable file?

How many times was this file executed?

When was the last time that this file was executed? Format YYYY-MM-DD HH:MM:SS

Amcache File

Amcache was introduced in the Windows OS to improve program compatibility by maintaining a cache of information about installed applications. It stores applications’ metadata to ensure their compatibility with the Windows environment. Using this artifact, forensic investigators can extract the file metadata, including the file hash, execution time, and other details.

Utilizing Amcache in the Case

In the previous task, we saw the suspected executables' name and execution time. Let’s gather more details about this file, such as its full path and the hash from the Amcache.

Parsing Amcache

We will utilize Eric Zimmerman’s tool Amcache Parser to parse the amcache file:

Open CMD with Admin privilege and type the following command to move to the tool’s directory: cd "C:\Users\Administrator\Desktop\Forensics Tools\AmcacheParser"

Now, enter the following command to execute the tool:

.\AmcacheParser.exe -f "C:\Windows\appcompat\Programs\Amcache.hve" --csv C:\Users\Administrator\Desktop --csvf Amcache_Parsed.csv

This command will parse the Amcache File and save the results in CSV format on the Desktop.

Note: The Amcache file is already present on the machine for the reason explained below, so we do not need to run the above command to parse it.

Important Note

The Amcache refreshes itself after every restart, so we have preserved it during the attack session for you. The results are already saved on the Desktop with the name Amcache-Parsed.csv. Drag and drop this to the Timeline Explorer tool.

We can see the full file path (Full Path Column), the file hash (SHA1 Column), and the last execution time (File Key Last Write Timestamp).

Parsed amcache files in the Timeline Explorer tool.

Note: We can also use Shimcache/Appcompatcache, which also gives information on an executable. However, they have a shorter retention period than Amcache.

Answer the questions below

What is the full path of the malicious file?

What is the SHA1 hash of this file?

Windows Event Logs

Windows Event Logs provides diagnostic information for troubleshooting purposes. These event logs are a significant source of information for forensic investigators. They can help extract user activity logs and establish a chain of events for the incident.

Windows Event Viewer application.

Utilizing Logs in the Case

Previously, we gathered all the details of the malicious executable by utilizing some of the useful Eric Zimmerman’s tools. Let’s see if we can get any important log entries before or in between the execution time.

Windows Event Logs can be accessed from its built-in Event Viewer utility. You can access it by searching it from the start menu.

Let's see if there is any RDP connection during this time in this machine.  We can verify this by viewing the RDP logs of this specific time from Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational. We can see an RDP successful login with Event ID 1149 just a few minutes before the RAR file was dropped in the system.

Event Viewer application showing the log of  successful RDP attempt.

Now, as observed and reported by the user initially, let’s see when the Windows Defender was turned off. We can see that by moving to Applications and Services Logs > Microsoft > Windows > Windows Defender > Operational in Event Viewer. In the screenshot below, we can see a log with Event ID 5001

Event Viewer application showing the log of disabling Windows Defender.

Answer the questions below

When was Defender disabled? Answer in 12 hour clock format. e.g. hours:minutes:seconds AM/PM

What is the IP address of the attacker's system?

We successfully established a chain of attackers’ steps by utilizing some key forensic artifacts in the Windows operating system. The attacker infiltrated the system via RDP, turned off Defender, and dropped the RAR file containing a malicious payload. He then decompressed the file and executed a malicious executable present inside it, which made a scheduled task for persistence in the system. The purpose of this scheduled task was to SSH a malicious CNC server after every minute. After that, he deleted both the RAR file and the executable from the system.

Following is the chronological order of the attack after all the above analysis. We recommend you create this table on your own and write the exact timelines of the activities mentioned in order.

Activity
Initiated an RDP Session
Turned Off Firewall
RAR File Dropped
RAR File Opened
Malicious File Executed
Answer the questions below
Complete the room!

Room Type

Free Room. Anyone can deploy virtual machines in the room (without being subscribed)!

Users in Room

4,286

Created

136 days ago

Ready to learn Cyber Security? Create your free account today!

TryHackMe provides free online cyber security training to secure jobs & upskill through a fun, interactive learning environment.

Already have an account? Log in

We use cookies to ensure you get the best user experience. For more information contact us.

Read more