Data Exfiltration - Guest to Host File Transfer Logging

tom burbee

6 days ago
updated 6 days ago
Open

Hi,

I own an MSP and we've recently investigated an incident where a client was phished into installing a rogue ScreenConnect (SC) agent onto their computer. It was a silent install and an older agent so it had all the configs set for stealth - not removing the background image or showing the Agent bar at the top etc.

The rogue agent was installed for around 8 days, and by viewing the Windows Eventlogs we were able to identify the dates and times the attacker was connected, their remote server IPs, usernames of their accounts.

The reason we were alerted to the rogue SC agent is because the attacker tried to transfer "hidemouse.exe" through the file transfer window and luckily our SentinelOne agent caught that "malicious" file and alerted us to the infection. After getting the machine in we discovered the root cause (phishing email) and started digging into the incident.

What we've discovered, both by verifying on the compromised computers (we had 2... user 1 emailed the link to user 2 asking them to open it because "it didn't work for me... can you try?" UGH) AND by verifying internally on our own company computers through testing:

The Guest side SC agent does NOT appear to keep logs of OUTBOUND file transfers.

We can clearly see EventID 201 - when a file transfer is made INBOUND from the Host (attacker) to the Guest PC - this is where the S1 Agent picked up the malicious file.

But by scouring the internet, we cannot seem to find any record of logs for OUTBOUND (Guest to Host) file transfers. Some reports (Reddit etc) say that this does not existing Guest PC/side.

To test that, we were able to, on our on prem hosted instance, confirm we can see the "SentFiles" Security Event Filter and properly see files "exfiltrated" from Guest to Host in the server logs. We also confirmed the Windows Eventlog does record "received/inbound/ie: Host to Guest" file transfers just fine, but it does NOT report exfiltrated/outbound/ie: Guest to Host file transfers.

Essentially this appears to look like there is NO way to figure out (no client side logs) what the attackers, in our instance, may or may not have transferred Guest to Host while they had access to the 2 customer computers over the 8 or so days they had their agent installed.

I am now in the process of preparing a report for our client and he needs to know: Did the attackers steal any of his data.

At this point, I can't say either way.

So I need an answer (statement) from SC:

Is there client side logging of outbound/Guest to Host data transfers to identify if any data was exfiltrated via a Rogue SC agent, or not?

Can you please point me to an official statement/response/document that outlines this answer so I can include it in my report?

And, if there is no such logging... I highly suggest that be included - even if the attackers know it's there, if they're lazy and don't clean it up, it gives some client side logging for those of us "after the fact" to know better what was done.

Thanks,

Tom