THM: Windows Server Attack Analysis: Part One

Investigating Windows Server 2016 Part One

Part One

TryHackMe | Investigating Windows

Agenda:

Investigating compromised windows server.

Methodologies & Tools covered:

• Windows command line.
• Powershell command line.
• Windows component tools such as eventviewer, regedit and taskscheduler.

Process Investigation Map

Windows component tools used during the investigation

• Net user
• Event viewer
• Task scheduler
• Regedit

Net user: The Net utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections.

Event viewer is a component of Microsoft’s Windows operating system that lets administrators and users view the event logs on a local or remote machine.