The forensic examiners share another real-world exposure story where the Remote Desktop Protocol was used to get hold of a company’s confidential documents.
Michael: This next case (see right-hand image) was probably one of the most fun cases that I have worked on. Right from the start I could tell that it was going to be a fun one. I call it “The RDP Bounce”, you’ll see why. I was called in to investigate a network breach. The company told us and they shared some information with us that there was evidence that at least one computer had been breached. They didn’t know why, didn’t know what, and they asked us to investigate and to tell them why and to tell them what.
It was a large company, they had a lot of computers, all of them were Windows-based, thousands of computers in offices all across the world. In one of their offices they noticed that this computer had been breached. So let’s figure out what happened.
We move in and analyze the one computer that they knew was breached. It showed that RDP, Remote Desktop Protocol – this is the tool that’s built into Windows that allows you to remotely control another computer – some logs showed us that RDP was used to connect using the local administrator password to another machine. It showed that RDP was used to connect in and it also showed that RDP was used to connect out. So, in this little diagram here (see image above) we are also looking at the middle computer, I didn’t know at the time that there were other computers. I was just looking at the middle one, and it seemed that there were a bunch used in here. So it was probably the tip of the iceberg.
Eric: Where do you find these logs, Michael?
Michael: Specifically I was looking at the Windows event log, the Event Viewer. If you go into the Control Panel and the administrator tools, there is the Event Viewer tool. By default it logs a lot of stuff in there including when RDP is used to connect in and when you are connecting out. So I analyzed the machine that came before it – same thing. There were logs that showed that someone was connecting into that. It was basically an entire bounce.
Now, these computers were located in different offices all around the world. This guy was bouncing all around the world to do something. So, obviously, this is a pattern. I still didn’t know what he was doing. I just knew that he was, clearly, going through a lot of trouble to obfuscate his trail, bouncing all around, probably so that when he does hit his final target there’s no direct evidence to where he was coming from.
Audience: Were these sessions within sessions?
Michael: Yes, they were all sessions within sessions. He opens up a remote desktop, and then within that remote desktop window he opens up another remote desktop to another machine. He just did this over and over. It must have taken him hours because remote desktop is not the fastest protocol at all. I don’t even want to speculate how long it took him to do this.
Eric: Can you imagine how long the screen redraw was by the time you get to, like, machine ten?
Michael: Jesus Christ! You probably have to double-click with, like, a minute in-between clicks or something. So, what was the target? I think you can all figure out what I am going to do next. Rather than following the trail back I started to follow the trail forward. What was he getting? Step after step, computer after computer, site after site after site all around the world, I finally reached the high-profile machine. I wish I could tell you which specific machine it was; I can’t because it would give away too much about this company.
Once I reached this machine, I knew exactly what he was going after. He wanted highly confidential documents that were only on this one machine in the entire company. He obviously knew this and he wanted to get into this machine to get these documents.
So I focused my analysis on this target machine, on this special confidential machine, and I wanted to see specifically which files they took. It took me only about two minutes as I was analyzing this machine, I identified the attacker immediately. He went through all around the world, and finally when I was taking a look at his target, within two minutes I found out who he was.
Audience: Did he use his own credentials on the machine?
Michael: No, he did not use his own credentials on the machine. Any other guesses?
Audience: He emailed it to himself?
Audience: He stole his own file?
Audience: Shared drive?
Eric: Michael, what did he do?
Michael: Printers! So, one thing a lot of people don’t know about remote desktop is by default it maps the printer connected to your machine to the machine that you’re connecting out to. It does this so that when you hit Print inside your remote desktop window, your printer next to you is available so you can print a document beside you. Now, this guy didn’t print any documents. Just by connecting, his machine automatically mapped his local printer to the target machine which identified his machine name. He forgot to turn this off. There’s a checkbox in Remote Desktop Protocol; when you open up the RDP window you hit Options and then uncheck Map Printers to Target Machine. It’s just a checkbox, he did not uncheck it.
Michael: Well, log entries that are created by innocuous system events can give insight into user actions. Now, he didn’t map his printer, the system did it automatically. So sometimes just looking at what the system is doing can tell you what the user was doing.
For the fail matrix (see left-hand image), user retard level would be about 20 because he went through a lot of trouble to cover his tracks and he did not cover his tracks. Punishment level would be 15: he lost his job and he also lost his references, he can’t use that company as a reference anymore. Distress caused would be 8. Bonus points would be 20: do some research! If you’re going to use RDP to pull off some kind of a scam, know how RDP works. Adding it all up, we get a fail score of 63.
Read previous: Forensic Fails 3: Smoking Gun.txt and Hiding in the Cloud
Read next: Forensic Fails 5: Wrongfully Accused