# EZ tools To follow along, download and install the EZ tools suite (available here ) You need to have exported logical files from the E01, or you can mount the image using AIM (which we'll cover here). ## Mount the E01 in Windows Download Arsenal Imager Mounter (from [here](https://arsenalrecon.com/products/arsenal-image-mounter)) and install it. Load AIM and select 'Mount disk image'. Select the first E01 segment and select **open**.

Select 'Disk device, read only' and leave sector size as default (512). We don't intend to make changes to the mounted disk, as we only need to read **from** it. If we were mounting the disk to use as a VM, or wanted to perform some kind of temporary write operation (write operations being stored in a separate location, not committed to the files themselves) then we'd need to mount with the 'write temporary' option. From the initial information provided, we have sufficient information to start processing. We want to target the following artefacts; * Windows Event Logs (RDP was exposed to the internet, so we want to identify any failed/successful authentication attempts, as well as incoming RDP connections) * MFT (were any files dropped by the threat actor? Ransomware executables? Staged archived/zipped files prior to exfil?) * Prefetch (noting this is a Windows Server install, we need to confirm if Prefetch/Superfetch is enabled or if artefacts exist) * Registry hives (NTUSER.dat, AmCache, SYSTEM, SAM, SOFTWARE, etc - we want to identify if any executables were launched, any new scheduled/executed tasks, etc) ## Process Windows Event Logs with EvtxeCmd Default location for Windows logs is C:\Windows\System32\winevt\Logs If you run EvtxeCmd.exe in an elevated command prompt by itself, you'll see a list of possible options. In this instance, we're just going to process a series of files within a directory with a single CSV output.

Our final command

## Process MFT with MFTECmd The MFT ($MFT) resides in the root of the volume. In this instance, we're looking at the primary drive from the compromised server, and its original volume was C: (so it would've been C:\\$MFT) but since we mounted it with AIM, it's been assigned the letter G: - so it'll exist at G:\\$MFT

## Process Prefetch with PECmd In this instance, Prefetch/Superfetch artefacts don't exist (Prefetch is disabled by default on Windows Server operating systems). This ## Process registry hives with Registry Explorer We'll start with the SOFTWARE and SYSTEM hives and pivot from there as the analysis progresses. Export SYSTEM and SOFTWARE hives and corresponding LOG files. Load Registry Explorer > File > Load hive > Select SOFTWARE and corresponding .LOG files

Do the same for the SYSTEM hive. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://www.iblue.team/ctf-challenges/compromised-windows-server-2022-simulation/ez-tools.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.