# Unattended TryHackMe Our client has a newly hired employee who saw a suspicious-looking janitor exiting his office as he was about to return from lunch. I want you to investigate if there was user activity while the user was away between 12:05 PM to 12:45 PM on the 19th of November 2022. If there are, figure out what files were accessed and exfiltrated externally. Initial investigations reveal that someone accessed the user's computer during the previously specified timeframe. Whoever this someone is, it is evident they already know what to search for. Hmm. Curious.
#### Task3 (Q1) What file type was searched for using the search bar in Windows Explorer? {% hint style="info" %} Use the RegistryExplorer tool to check the "Windows Explorer Address/Search Bars" task in Windows Forensics 1 room. {% endhint %}

المهم افتح registry explorer \ سيبها تاخد وقتها بعد كدا \ file < load hive C:\Users\THM-RFedora\Desktop\kape-results\C\Users\THM-RFedora\NTUSER.DAT

`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths` \ it's empty فاضي نروح للتاني go to \ `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`

~~**Ans : .pdf**~~ #### Q2) What top-secret keyword was searched for using the search bar in Windows Explorer? ~~**Ans : Continental**~~ **Task 4** *Note: When using the Autopsy Tool, you can speed up the load times by only selecting "Recent Activity" when configuring the Ingest settings.* open Autopsy tool the create new case

**press next then press finish**

diselect all then check on recent Activity

finish and lets answer the questions #### Q1) What is the name of the downloaded file to the Downloads folder?

~~Ans : 7z2201-x64.exe~~ #### Q2) When was the file from the previous question downloaded? (YYYY-MM-DD HH:MM:SS UTC)

~~**Ans : 2022-11-19 12:09:19UTC**~~ #### **Q3)** Thanks to the previously downloaded file, a PNG file was opened. When was this file opened? (YYYY-MM-DD HH:MM:SS) let's back to reg explorer and searching for png files

~~**Ans : 2022-11-19 12:10:21**~~ Task 5 Sending it outside Uh oh. They've hit the jackpot and are now preparing to exfiltrate data outside the network. There is no way to do it via USB. So what's their other option? #### Q1) A text file was created in the Desktop folder. How many times was this file opened? {% hint style="info" %} Check out the machine's Jump Lists using the JLECmd.exe tool. {% endhint %} let's open CMD GO TO TOOLS AND RUN THIS > JLECmd -d c:\Users\THM-RFedora\Desktop\kape-results\C\Users\THM-RFedora

~~**ANS : 2**~~ #### Q2) When was the text file from the previous question last modified? (MM/DD/YYYY HH:MM) ~~Ans : 11/19/2022 12:12~~ #### Q3) The contents of the file were exfiltrated to pastebin.com. What is the generated URL of the exfiltrated data? {% hint style="info" %} Use the Autopsy tool to check the "IE/Edge History" of the target machine.![](chrome-extension://amfojhdiedpdnlijjbhjnhokbnohfdfb/img/logo/icon@2x.png) {% endhint %} #### let's back to Autopsy Go to web history filtering the result by searching for pastebin.com

~~**Ans :**~~ [~~**https://pastebin.com/1FQASAva**~~](https://pastebin.com/1FQASAva)~~**'**~~ #### Q4) What is the string that was copied to the pastebin URL?

~~**Ans :** ne7AIRhi3PdESy9RnOrN~~ At this point, we already have a good idea of what happened. The malicious threat actor was able to successfully find and exfiltrate data. While we could not determine who this person is, it is clear that they knew what they wanted and how to get it. I wonder what's so important that they risked accessing the machine in-person... I guess we'll never know. \ but it was to easy , Thanks for reading 🔰 , I appreciate 🥰

\
--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xmedhat.gitbook.io/whoami/writesup/unattended-tryhackme.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.