Data Exfiltration via ConnectWise Control (formerly ScreenConnect)

Businesses have been reshaped by the COVID-19 global pandemic. Employees were directed to work from home for extended periods of time, however some businesses did not consider the risk of insider threats, for instance employees transferring data from business systems to their local machines via their remote access software of choice.

In this post I have a quick look at the artefacts that are created when data is transferred to an employee’s home computer (home computer) from an employer’s computer (work computer) using the ConnectWise Control remote access client.

I like to use ‘Everything’ by VoidTools to give me an indication of what activity is occurring on the machine during my testing. I was looking to see what artefacts were created on the work computer as realistically, getting access to the employee’s home computer during an investigation is going to be unlikely until further down the path when litigation may take place.

For my testing, I obtained access to an online ConnectWise Control tenancy and logged into a work computer. I transferred files to the home computer using the file transfer interface located on the tool bar that appears at the top of the connection window.

At the time the file was transferred, the following occurred on the work computer:

A JumpList entry was created in the Quick Access JumpList file for the parent directory of the transferred file, “Folder of Goodies”:

%appdata%\microsoft\windows\Recent\AutomaticDestinations\f01b4d95cf55d32a.automaticDestinations-ms

Having a look at the JumpList entry within the f01b4d95cf55d32a.automaticDestinations-ms JumpList we can see that the “Common Path” has been populated with the name of the parent directory of the transferred file.

Shell Details

The ScreenConnect ‘user.config’ was updated in the following path ‘C:\ProgramData\ScreenConnect Client (<string ID>)\user.config

User.config

The ‘SendFilesDirectory’ value is updated to the path of the parent folder of the file that was transferred – ‘W:\FOLDER OF GOODIES’. The name of the file that was transferred is not recorded.

During my testing, the timestamp value in ‘user.config’ remained the same regardless of the date/time that I transferred the files to the home computer: ‘TimeStamp=10%2f02%2f2021%2011%3a00%3a00%20AM’.

The ‘SendFilesDirectory’ value is updated every time a file is transferred so you will only see the parent directory of the file that was last sent, nothing previous to it.

While I did not identify any record of the filename being transferred in the Windows Event Logs, there is a record in the Application Event Log when the ScreenConnect client session is connected.

Windows Application Event Log

The audit log in the ConnectWise Control tenancy is where we get additional information about the file transfers that have taken place during any connected sessions.

As the audit log is busy, you can narrow down the time range and session name to the work computer of interest. Under the Event column, the ‘SentFiles’ records are the files that have been sent from the work computer to the employee’s home computer.

For each entry we see the date and time of the event, the name of the work computer, the event, the IP address of the work computer and the name of the file that was transferred.

ConnectWise Control Audit Log

The key pieces of evidence are in the audit log of the ConnectWise tenancy. As you can see there is only some small pieces of corroborating artefacts available on the work computer.

I would be keen to hear from anyone that knows of other artefacts I have missed or tools to monitor real time changes of files, registry keys etc during testing.

-BM

One thought on “Data Exfiltration via ConnectWise Control (formerly ScreenConnect)”

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s