rishiR700/TryHackMe-investigating-windows

# TryHackMe-investigating-windows Windows Investigation & Incident Response Lab from TryHackMe ## Overview This lab focused on investigating a compromised Windows machine and identifying attacker activity, persistence mechanisms, credential dumping techniques, and indicators of compromise (IOCs). Platform: TryHackMe Category: Windows Investigation / Blue Team / Incident Response # Objective The objective of this lab was to: - Investigate suspicious activity on a Windows machine - Identify persistence mechanisms - Analyze malicious scripts and scheduled tasks - Detect credential dumping activity - Review firewall and hosts file modifications - Identify indicators of compromise (IOCs) # Tools Used - PowerShell - Event Viewer - Task Scheduler - Windows Firewall - Command Prompt # Investigation Steps ## 1. System Enumeration systeminfo ## 2. User Enumeration net user ## 3. Administrator Enumeration net localgroup administrators ## 4. Scheduled Task Investigation Suspicious task identified: Clean file system The task executed: nc.ps1 # Indicators of Compromise (IOCs) | IOC Type | Value | |---|---| | Malicious Script | nc.ps1 | | Port | 1348 | | Credential Dumping Tool | Mimikatz | | Modified File | hosts | | Web Shell Extension | .jsp | # Skills Practiced - Windows Investigation - Incident Response - Threat Hunting - IOC Identification - Event Log Analysis - Persistence Detection # Conclusion This lab provided practical exposure to Windows incident response and forensic investigation workflows.