Refer to Registry4n6 for the challenge room on TryHackMe

Scenario

Jasmine owns a renowned coffee shop, Coffely, celebrated for its unique recipe, which she keeps exclusively on her work laptop. Recently, she sought help from James in the IT department to fix her laptop. However, there are suspicions that he may have copied the secret recipe. James's machine has been confiscated and examined, but no traces of the recipe were found. The security department has retrieved important registry artifacts from his device and has tasked you with examining these artifacts to determine whether any secret files exist on his machine.

Task

The Computer Name of the Machine found in the registry?

To find the name of the machine, we need to check the System Registry using Registry Explorer. We can either use the search function for "ComputerName" or navigate through the following path:

SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName.

When was the Admin account created on this machine?

The SAM Registry holds information about the users on the machine, include the account creating date. We can use the same method as before on Registry Explorer: either use the search function for "User" or navigate through the following path:

SAM\Domains\Account\Users

What is the RID associated with the Admin account?

Referring to the previous screenshot, we can identify the RID associated with the administrator account.

Note: A User ID is a general term for any identifier related to a user account, while a RID is a specific numeric part of a Security Identifier (SID) that uniquely identifies a user or group within a domain. E.g., in the SID S-1-5-21-1004336348-1177238915-682003330-500, the RID is 500. Additionally, RID 500 is always linked to the built-in Administrator account for either a domain or a local system.

How many User accounts were observed on this machine?

Referring to the previous screenshot, we can identify the available user accounts on the machine by examining the information shown in the total rows.

What is the Account Name associated with RID 1013. ?

Referring to the previous screenshot, we can identify the user account name associated with RID 1013.

What is the VPN connection this host connected to?

To identify the network connection history, we will examine the Software Registry in Registry Explorer. We can do this either by using the search function for "NetworkList" or by following the path:

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList

When was the first VPN connection observed?

Referring to the previous screenshot, we can identify the first VPN connection that was made.

What is the path of the third shared folders on the machine?

To identify the shared directory, we will examine the LanmanServer/shares in Registry Explorer. We can do this either by using the search function for "Shares" or by following this path:

SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

Note: LanmanServer is a Windows service that enables the sharing of files and printers over a network using the Server Message Block (SMB) protocol.

What is the Last DHCP IP assigned to this host?

To learn the IP address, we will investigate the System Registry on Registry Explorer. We can do this either by using the search function for "interfaces" or by following this path:

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

However, the results didn’t include a timeline, so I had to infer that either the top or bottom entry is the last DHCP IP address assigned to the host.

What is the filename of secret coffee recipe that's been accessed?

Since the question states that the suspect accessed the secret coffee recipe, we will investigate the RecentDocs in Registry Explorer. We can do this either by using the search function for "RecentDocs" or by following this path:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

What command was run to enumerate the network interfaces?

RunMRU (Most Recently Used) keeps a list of commands that users have entered in the Run dialog. You can access it by searching for "RunMRU" or by following this path:

NTUSER.DAT/Software/Microsoft/Windows/CurrentVersion/Explorer/RunMRU

Note: The command pnputil /enum-interfaces lists all network interfaces and their properties on the machine, providing details such as interface names, types, and statuses.

What is the name of the network utility the user searched for to transfer files in the file explorer?

To find the searched keywords in File Explorer, we need to investigate the WordWheelQuery under the Software Registry on the Registry Explorer. Based on the results, netcat is the only keyword related to the network utility.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

What is the recent text file opened by the suspect?

We will apply the same method as we did for this question (What is the filename of secret coffee recipe that's been accessed?) to locate the text file.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

How many times was PowerShell executed on this host?

To learn the executed times of an program, we can check the UserAssist, which store details like which programs were launched, when they were launched, and how often. Unfortunately, we can only locate it through the path, not the search function. I used the search in the screenshot for better clarity.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

The suspect also executed a network monitoring tool. What is the name of the tool?

We will apply the same method as we did for this question (How many times was Powershell executed on this host?) to discover the network monitoring tool.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

How many seconds was ProtonVPN executed, based on the Registry Hives?

We will apply the same method as we did for this question (How many times was Powershell executed on this host?) to determine how long ProtonVPN has been running.

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

What is the full path from which Everything.exe was executed?

To find the complete path of an application that has been run, we can check the Background Activity Monitor (BAM), which tracks the activity of background applications. Unfortunately, we can only locate it through the path, not the search function. I used the search in the screenshot for better clarity.

SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}