Refer to Unattended for the challenge room on TryHackMe
Task
Our client has a new employee who observed a suspicious janitor leaving his office as he returned from lunch. Investigate user activity between 12:05 PM and 12:45 PM on November 19, 2022. Identify any accessed and potentially exfiltrated files.
Use the disk image located at C:\Users\THM-RFedora\Desktop\kape-results\C for the investigation. The tools can be found at C:\Users\THM-RFedora\Desktop\tools.
Snooping around
Initial investigations show that someone accessed the user's computer during the specified timeframe. It seems this individual knew exactly what to look for, which raises some questions.
We will use Registry Explorer to See a user's recent activity by checking the paths they’ve typed into the Windows Explorer address bar:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery
Note: WordWheelQuery allows users to filter and search results by selecting keywords from file names or attributes.
What file type was searched for using the search bar in Windows Explorer?
After navigating to the \WordWheelQuery, we will see the file type searched in the search bar.
What top-secret keyword was searched for using the search bar in Windows Explorer?
The searched keyword is also included in the previous screenshot.
Can't simply open it
Unsurprisingly, they found what they were looking for within minutes. However, they encountered an obstacle and needed additional information to proceed.
TIP: To improve load times in the Autopsy Tool, select "Recent Activity" in the Ingest settings.
In this section, we will use Autopsy to address the question. First, create a case using the data source from the logical file (C:\Users\THM-RFedora\Desktop\kape-results\C\). As suggested, select only "Recent Activity" in the ingest settings.
What is the name of the downloaded file to the Downloads folder?
Navigate to the Web Downloads tab for downloaded files. As noted in the introduction, we need to investigate user activity between 12:05 PM and 12:45 PM on November 19, 2022. Search for any files downloaded within that period and located in the user’s download directory.
When was the file from the previous question downloaded?
Refer to the previous screenshot for the download time.
Thanks to the previously downloaded file, a PNG file was opened. When was this file opened?
I found two ways to answer this question: using Registry Explorer or Autopsy. Navigate to NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs.
On Registry Explorer
On Autopsy
Sending it outside
Uh oh. They've found valuable data and are now preparing to exfiltrate it from the network. Since USB is not an option, what alternative methods might they use?
A text file was created in the Desktop folder. How many times was this file opened?
As the hint suggested, we shall investigate into Jumplist with JLECmd.
JLECmd.exe -d "C:\Users\THM-RFedora\Desktop\kape-results\C\Users\THM-RFedora\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations" --csv <output-path>
Once we open the output.csv file with EZ Viewer, look for the "Path" and "InteractionCount" columns. This will provide the information we need.
When was the text file from the previous question last modified?
Check the "Last Modified" column in the .csv file or refer to the previous screenshot.
The contents of the file were exfiltrated to pastebin.com. What is the generated URL of the exfiltrated data?
Use the search feature for the keyword "pastebin.com" in Autopsy to find the URL of the exfiltrated data.
What is the string that was copied to the pastebin URL?
By pasting the URL found in the previous question into the browser, we can view the content.
