Notifications
Clear all

Remote access tools

4 Posts
4 Users
0 Likes
910 Views
(@clarkk)
Posts: 11
Active Member
Topic starter
 

Windows 7 machine in a domain. What is the best way to determine where (IP) an individual is going with a remote access tool? Can be logmein, splashtop, etc. From an image, i can see the website they are going to but how can I find the destination of where they are connecting to with the tool? Just the logs? Or is there another place I can look?

 
Posted : 02/04/2019 12:23 pm
Bunnysniper
(@bunnysniper)
Posts: 257
Reputable Member
 

Or is there another place I can look?

Yes, the local registry. Have a look into the software hive and the NTUSER.dat files and search for application entries there. Very often you have something like "recent connections" or similar entries. Nevertheless, start with the application specific logfiles and see what is inside.

regards, Robin

 
Posted : 02/04/2019 4:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Yes, the local registry. Have a look into the software hive and the NTUSER.dat files and search for application entries there.

Anything in particular? I'd like to add it to RegRipper.

Thanks.

 
Posted : 02/04/2019 5:33 pm
(@athulin)
Posts: 1156
Noble Member
 

Windows 7 machine in a domain. What is the best way to determine where (IP) an individual is going with a remote access tool? Can be logmein, splashtop, etc. From an image, i can see the website they are going to but how can I find the destination of where they are connecting to with the tool?

That depends on where those tools store or log the target address, doesn't it?

If you don't know, set up a test client system, and a test target host with a well-known domain name and IP. Do a few connections. Image the client, and look for the domain name and the IP address. Depending on the tool, you may want to try different ways of connection or different tool settings. Perhaps it saves the info in a logfile, but that log file can be placed anywhere and with any name and extension – but its current path is somewhere in registry.

(You probably want to do followup tests to find out if there's anything useful in-core during a live analysis. You probably also want to test failed connections as well, to ensure that you can distinguish between connections that were successful and connections that failed or were broken off in some way. Figure out what questions you are likely to have to answer – when was the first connection? the last? all connection in the last week in December? … – and focus on those.)

Or … you may have a tool in some kind of container. In which case, you have too look inside that container.

And you may need to check other factors does anything change between different tool releases? Can you identify the version? Can you identify the currently active version, if more than one is installed? (And, if a tool has been uninstalled, can you see that it has been there? And perhaps also when? Or does it run from an USB stick?) In a corporate environment, you may have well-known tools and versions, so you may be able to restrict your tests to those.

And if you're lucky, someone has already done it for some specific tool. But unless you can locate someone else's analysis report, as well as trust it as source for your own analyses, you have to analyze the tools yourself.

 
Posted : 02/04/2019 7:01 pm
Share: