TryHackMe: Unattended

Link: Unattended

Description :

• Investigate a user activity between 12:05 PM to 12:45 PM on the 19th of November 2022.

• Figure out what files were accessed and exfiltrated externally.

TASK3: Snooping around

What file type was searched for using the search bar in Windows Explorer?

What top-secret keyword was searched for using the search bar in Windows Explorer?

• You can use RegistryExplorer tool to check the Windows Explorer Search bars

• You can find this information in : NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths OR NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

• Load the NTUSER.dat hive

TASK4: Can’t simply open it

What is the name of the downloaded file to the Downloads folder?

When was the file from the previous question downloaded? (YYYY-MM-DD HH:MM:SS UTC)

• Open Autopsy and select Logical Files as data source type

• Select ‘C’ file :

• Now you can check the web downloads

Thanks to the previously downloaded file, a PNG file was opened. When was this file opened? (YYYY-MM-DD HH:MM:SS)

• Switching back to Registry Explorer, you can search for .png

TASK5: Sending it out

A text file was created in the Desktop folder. How many times was this file opened?

When was the text file from the previous question last modified? (MM/DD/YYYY HH:MM)

• You can use JLECmd tool

JLECmd.exe -d c:\Users\THM-RFedora\Desktop\kape-results\C\Users\THM-RFedora

The contents of the file were exfiltrated to pastebin.com. What is the generated URL of the exfiltrated data?

• Switching back to Autopsy, you can find the answer under Web History section

What is the string that was copied to the pastebin URL?