Incident Response - Which logs are of most interest following a social engineered remote desktop attack

Question

Unfortunately, someone in my family fell for a phone scam after data was leaked from TalkTalk. As a result, they allowed remote access to two computers and transferred money from their bank account to the value of over £10,000.

The money will be returned by the bank, however I have the job of trying to figure out what was compromised and I would really appreciate some advice on the following:

When I arrived, windows was protected with Syskey which had been put on by the attacker. The code was already known as the attacker had disclosed it on the phone.

I looked through the browser history and saw the victim downloaded Teamviewer and allowed the remote connection to two machines for a few hours. The Teamviewer log does not indicate any files were transferred, the browser history also does not indicate any files were downloaded other than Teamviewer (of course they could be deleted but I think the victim would question deleting various bits of browser history). Looking through "last modified" files for quite some time, I'm almost certain nothing was installed and looking through the startup and processes running I could not find anything overly suspicious.

The story from the victim is that there was a command prompt on the screen with a flurry of text which looked like file paths flying up the screen on both machines. A Rapport log shows that a virus scan was started at that time on both machines which may have been the that.

Ideally, I'm wanting to find out if files were sent from the attacked computers as there are private items on there. I have been looking for information on a rough estimate of network traffic from the ISP, but even with that information it will be difficult to know as Teamviewer was running. There is not much in terms of browser history other than visiting the banks sites which is all still there, and I have scoured (by eye for some hours) the various windows event logs and not found much of interest (other than finding the teamviewer log and something saying a scan was started).

Without a third party program and using CMD, how could an attacker send files? I would assume FTP as windows has a built in FTP client, but I cannot find any log (nor would I know where it would be if there is one).

My solution so far has been to take images of both disks as a backup and to reinstall windows on both machines fresh and to just move some documents back. Whilst this mostly secures the machines (other than social engineering) it doesn't tell me much about what went on during the Teamviewer session. Unfortunately the victim was well and truly bamboozled so doesn't seem to have a fantastic account of exactly went on other than "a flurry of text which looks like file paths" and a few cd commands.

I suppose my overall question is:

How can files be moved using only built in windows functions and do you know of any logs they would produce? Is there anything else you would check or do? Which various bits of history would you personally check after an attack like this?

I have a full image of both machines and as I was upgrading one to an SSD whilst there, I also have a fully bootable hard drive which hasn't been altered since it was attacked, so logs are generally all still available.

Answer 1

There are simply too many ways to move files into a windows system without leaving much trace.

If you OS is recent, you have powershell installed which cah run HTTP(S) downloads easily and without creating any log, for instance. Or, as you noted, FTP.

A simple way for the scammer to upload and execute some code easily would be to use the clipboard: start a command line and simply paste the script in it. It'll only take a couple of lines to download and execute a program from a web site and the windows prompt does not keep a log of commands it runs.

In your case, I would chose one of the two following options:

• You assume that the attacker didn't try to hide his tracks and was just after some easy money (low hanging fruit) and that they didn't actually look any deeper. This is a risky proposition but you might consider it appropriate if no important information was on the system.
• You assume the attacker had the tools and skill to perform an in-depth penetration of the system (which is surprisingly easy and quick given today's tools) and must therefore consider any and all information on this machine comprised: any passwords saved or typed, all information contained in document stored or accessible, all account used (including things like cloud storage accounts, etc) and all private key stored locally and not protected by a strong password. Remember that the attacker could also have jumped to other systems accessible from this machine.

I don't think that anything in between these two extremes makes much sense. Which one you chose, however is entirely up to you. In any case, you should perform a full restore of the system (from metal, not from the OS) and reset all local passwords.