Note
While checking the filesystem after conducting basic enumeartion, I found an interesting file located at the system root
*evil-winrm* ps c:\> ls
directory: C:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 5/26/2020 5:38 PM PerfLogs
d----- 6/3/2020 9:47 AM profiles
d-r--- 3/19/2020 11:08 AM Program Files
d----- 2/1/2020 11:05 AM Program Files (x86)
d-r--- 2/23/2020 9:16 AM Users
d----- 12/22/2023 11:31 AM Windows
-a---- 2/28/2020 4:36 PM 447 notes.txtthat’s the file; c:\notes.txt
*evil-winrm* ps c:\> cat notes.txt
Mates,
after the domain compromise and computer forensic last week, auditors advised us to:
- change every passwords -- Done.
- change krbtgt password twice -- Done.
- disable auditor's account (audit2020) -- KO.
- use nominative domain admin accounts instead of this one -- KO.
We will probably have to backup & restore things later.
- Mike.
ps: Because the audit report is sensitive, I have encrypted it on the desktop (root.txt)The notes.txt file confirms the earlier theory that the target system had been previously compromised by the malicious actor; Ipwn3dYourCompany
Interestingly, the author claims to have changed every passwords, which clearly wasn’t the case for the audit2020 account that is supposed to be disabled apparently