Data Exfiltration - Guest to Host File Transfer Logging - Round 2

Hi Sean,

You closed my post without fully reading my post.

https://screenconnect.product.connectwise.com/communities/67/topics/5073-data-exfiltration-guest-to-host-file-transfer-logging

I can't reply there so I'm starting a new one - in case the email that was posted there goes to nowhere land as well.

Your answer it’s not helpful. I know on the server side we can view logs of transfers to and from agents on our hosted SC server. However the issue is not with that scenario. The customer was phished to install an agent from a completely different hosted company that the attacker controlled so we don’t have access to the session.db and no access to view the timeline and audit logs – we verified this by looking at OUR agent for the client computers and they did not reflect any data for the known file transfer (Host to Guest that SentinelOne flagged).

I’m looking for an answer or help determining what is guest or client side that may log or allow me to report to the customer “did the attacker steal any data from their computer?”

Because as it sits right now, I haven’t been able to answer that question for the customer and our internal tests show that I can exfiltrate – pull data from one of my employees computers, with the employee computer not logging the transfer in any way.