📖
writeupsifelix
  • About me
  • Monday Monitor - THM
  • TShark Challenge I: Teamwork - THM
  • Investigating with Splunk - THM
  • Unattended - THM
  • Eviction - THM
  • The Greenholt Phish - THM
  • Tags
    • Threat Intelligence
    • Network Security and Traffic Analysis
    • Endpoint Security Monitoring
    • Security Information and Event Management (SIEM)
    • Digital Forensics and Incident Response (DFIR)
    • Anti-Phishing
Powered by GitBook
On this page
  • Tags
  • Tools
  • Scenario
  • Tasks

Unattended - THM

PreviousInvestigating with Splunk - THMNextEviction - THM

Last updated 6 months ago

Tags

Digital Forensics and Incident Response

Tools

Registry Explorer, Autopsy

Scenario

Welcome to the team, kid. I have something for you to get your feet wet. Our client has a newly hired employee who saw a suspicious-looking janitor exiting his office as he was about to return from lunch. I want you to investigate if there was user activity while the user was away between 12:05 PM to 12:45 PM on the 19th of November 2022. If there are, figure out what files were accessed and exfiltrated externally.

You'll be accessing a live system, but use the disk image already exported to the C:\Users\THM-RFedora\Desktop\kape-results\C directory for your investigation. The link to the tools that you'll need is in C:\Users\THM-RFedora\Desktop\tools

Finally, I want to remind you that you signed an NDA, so avoid viewing any files classified as top secret. I don't want us to get into trouble.

Tasks

1. What file type was searched for using the search bar in Windows Explorer?

We begin by opening the registry explorer. This tool allows us to delve into the system’s registry files, where crucial user and system settings are stored.

Specifically, we focus on the NTUSER.DAT file. This file is essential because it contains the registry settings for the user profile currently logged into the system.

Next, we navigate to the path NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery. This location within the registry holds the search history for Windows Explorer.

Upon inspection, we find that the file type searched for is .pdf.

.pdf

2. What top-secret keyword was searched for using the search bar in Windows Explorer?

From the same result of the previous question, we can identify that the answer is continental

continental

3. What is the name of the downloaded file to the Downloads folder?

We begin by powering up Autopsy and creating a new case.

We select the source data type as Logical Files, which allows us to focus on specific files rather than an entire disk image.

Next, we add the data source by choosing the kape-results folder. This folder contains the necessary forensic artifacts for our investigation.

In the configure ingest step, we deselect all options and choose only Recent Activity. This helps us streamline the analysis by focusing on the most relevant data.

Once the data source is added, we click finish to proceed with the investigation.

We then view the web downloads artifacts and narrow down the results by ordering them by Date accessed. This allows us to focus on the specific time frame of interest, which is between 12:05 PM and 12:45 PM on the 19th of November 2022.

By examining the listings within this time frame, we identify the downloaded file as 7z2201-x64.exe.

7z2201-x64.exe

4. When was the file from the previous question downloaded? (YYYY-MM-DD HH:MM:SS UTC)

From the same listing as the previous question, we can identify that the answer is 2022-11-19 12:09:19 UTC

2022-11-19 12:09:19 UTC

5. Thanks to the previously downloaded file, a PNG file was opened. When was this file opened? (YYYY-MM-DD HH:MM:SS)

First, we note the exact time of the previous file download, as the PNG file should logically be opened after this time.

Next, we open Registry Explorer and load the NTUSER.DAT file.

We then navigate to NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs. This registry path is significant because it stores information about recently accessed documents, allowing us to pinpoint the exact time files were opened.

Upon examining this location, we find that a PNG file was recently opened at 2022-11-19 12:10:21.

2022-11-19 12:10:21

6. A text file was created in the Desktop folder. How many times was this file opened?

From the same listing we used in the previous question, we observe that there is also a .txt file in the RecentDocs registry path.

This entry has a value of 2, indicating that the text file has been opened twice.

2

7. When was the text file from the previous question last modified? (MM/DD/YYYY HH:MM)

To determine when the text file from the previous question was last modified, we explore the web history artifact using Autopsy.

During this investigation, we identify a .txt file named launchcode.txt that has the same timestamp as the one previously found using Registry Explorer.

From this listing, we see that the file was last opened or modified on 11/19/2022 12:12.

11/19/2022 12:12

8. The contents of the file were exfiltrated to pastebin.com. What is the generated URL of the exfiltrated data?

To find the generated URL of the exfiltrated data, we refer to the same listing of web history artifacts as in the previous question.

From this listing, we observe a Pastebin entry with the URL https://pastebin.com/1FQASAav. This URL provides us with the exact location where the data was exfiltrated.

https://pastebin.com/1FQASAav

9. What is the string that was copied to the pastebin URL?

To determine the string that was copied to the Pastebin URL, we examine the data artifacts within the web history artifacts.

By analyzing these artifacts, we identify the encrypted string ne7AIRhi3PdESy9RnOrN as the data that was exfiltrated to the Pastebin URL.

ne7AIRhi3PdESy9RnOrN