Unattended TryHackMe

Use your Windows forensics knowledge to investigate an incident.

Our client has a newly hired employee who saw a suspicious-looking janitor exiting his office as he was about to return from lunch.

I want you to investigate if there was user activity while the user was away between 12:05 PM to 12:45 PM on the 19th of November 2022. If there are, figure out what files were accessed and exfiltrated externally.

Initial investigations reveal that someone accessed the user's computer during the previously specified timeframe.

Whoever this someone is, it is evident they already know what to search for. Hmm. Curious.

Task3 (Q1) What file type was searched for using the search bar in Windows Explorer?

Use the RegistryExplorer tool to check the "Windows Explorer Address/Search Bars" task in Windows Forensics 1 room.

That's what's the hint tell us about

المهم افتح registry explorer سيبها تاخد وقتها

بعد كدا file < load hive

C:\Users\THM-RFedora\Desktop\kape-results\C\Users\THM-RFedora\NTUSER.DAT

press no "don't replace" then yes

هندور ف الباثين دول

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

it's empty فاضي

نروح للتاني

go to

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

here is

Ans : .pdf

Q2) What top-secret keyword was searched for using the search bar in Windows Explorer?

Ans : Continental

Task 4

Note: When using the Autopsy Tool, you can speed up the load times by only selecting "Recent Activity" when configuring the Ingest settings.

open Autopsy tool the create new case

press next then press finish

next

logical files

select kape-results

diselect all then check on recent Activity

finish and lets answer the questions

Q1) What is the name of the downloaded file to the Downloads folder?

By going to Web Downloads we found that

Ans : 7z2201-x64.exe

Q2) When was the file from the previous question downloaded? (YYYY-MM-DD HH:MM:SS UTC)

Ans : 2022-11-19 12:09:19UTC

Q3) Thanks to the previously downloaded file, a PNG file was opened. When was this file opened? (YYYY-MM-DD HH:MM:SS)

let's back to reg explorer and searching for png files

Ans : 2022-11-19 12:10:21

Task 5 Sending it outside

Uh oh. They've hit the jackpot and are now preparing to exfiltrate data outside the network.

There is no way to do it via USB. So what's their other option?

Q1) A text file was created in the Desktop folder. How many times was this file opened?

Check out the machine's Jump Lists using the JLECmd.exe tool.

let's open CMD

GO TO TOOLS AND RUN THIS

JLECmd -d c:\Users\THM-RFedora\Desktop\kape-results\C\Users\THM-RFedora

ANS : 2

Q2) When was the text file from the previous question last modified? (MM/DD/YYYY HH:MM)

Ans : 11/19/2022 12:12

Q3) The contents of the file were exfiltrated to pastebin.com. What is the generated URL of the exfiltrated data?

Use the Autopsy tool to check the "IE/Edge History" of the target machine.

let's back to Autopsy

Go to web history filtering the result by searching for pastebin.com

we found the answer !!

p

Ans : https://pastebin.com/1FQASAva'

Q4) What is the string that was copied to the pastebin URL?

Ans : ne7AIRhi3PdESy9RnOrN

At this point, we already have a good idea of what happened. The malicious threat actor was able to successfully find and exfiltrate data. While we could not determine who this person is, it is clear that they knew what they wanted and how to get it.

I wonder what's so important that they risked accessing the machine in-person... I guess we'll never know.

but it was to easy , Thanks for reading 🔰 , I appreciate 🥰