Legitimate RATs: a comprehensive forensic analysis of the usual suspects

Introduction

The purpose of this article is to detail the artefacts left by a third-party remote access tool during its setup and use. A third-party remote access tool allows people not physically in contact with a device to control, interact with it, and see its screen. Tools that do not allow a visual interaction such as PsExec are not included in this study.

The motivation to do this study came from a tweet made by @IcsNick, listing "Remote Admin Tools that are abused by threat actors"1. Indeed, threat actors leverage these legitimate tools to perform several actions: obtaining remote access on the device and a persistence, pushing scripts and other tools, as well as performing lateral movement towards other devices of linked corporate information systems (e.g. between an IT provider and its customers). Therefore, based on IcsNick's comprehensive list and other public investigation reports, we decided to analyse a few of them - as a starter - in order to fully understand what artefacts are generated from these tools. The results are used to automating their detection during our investigations in order to speed up the process and spot interesting log files. Of course the forensic or SOC analyst would still have the task to determine whether those tools have been used legitimately by the IT team, or by malicious actors.

In this article, the artefacts of four remote admin tools will be described: TeamViewer, AnyDesk, Atera, and SplashTop. Also, the focus will be on the Windows platform. There might be a part 2 of this article describing other tools, and artefacts left on other platforms (e.g. Mac and GNU/Linux). ConnectWise (formerly known as ScreenConnect) which is also appearing in the meme, as already been thoroughly described in other articles2 3. Finally, since Atera agent installer embeds SplashTop, they will be both described in the same section.

Process of collect and analysis of the artefacts

To perform this study, several tools were used to monitor the activity of the system: its file system, registry, process activity, and common Windows artefacts. The default logging policy was applied on the Windows "lab". However, we chose not to enable Sysmon to reflect the reality of what we usually encounter during our engagements.

TeamViewer

TeamViewer is a free remote admin tool available on many platforms: Windows, macOS, Android, iOS, Linux, Chrome OS. It is probably the most famous one in its kind. It has many remote access features: remote shell, remote desktop, multi-connection, secured and encrypted access, remote printing, file sharing... TeamViewer publisher also develops commercial versions, notably for companies.

TeamViewer is part of the legitimate tools that attackers use to gain remote access on compromised assets and keep persistence. TeamSpy is especially known for using TeamViewer4. Several ransomware actors seem to use it as well such as Shade5 6.

The version of TeamViewer analysed in this study is 15.32.3.0.

Means of installation

TeamViewer is used as a desktop application. It can be installed on the system, or use as portable. It can also be used directly from the browser.

To determine its installation date, we can check:

• The creation date of C:\Program Files\TeamViewer,
• the last modification date of HKLM\SOFTWARE\TeamViewer and HKU\<SID>\SOFTWARE\TeamViewer (to check also if portable version was used),
• a System Event ID 7045 log entry, showing the service creation TeamViewer,
• and the last modification date of HKLM\SYSTEM\CurrentControlSet\Services\TeamViewer.

To detect the user who installed TeamViewer, we can check:

• The creation date (the earliest one) of: HKU\<SID>\SOFTWARE\TeamViewer,
• or the creation date of C:\Users\<username>\AppData\Local\Temp\TeamViewer\TV15Install.log, and its content (described a bit later in the article).

Logs generated on the file system

C:\Program Files\TeamViewer\TeamViewer15_Logfile.log: General information is traced on TeamViewer15_Logfile.log7. The filename will match the major version number of TeamViewer, so it might be relevant to look for files named TeamViewer\d\d_Logfile.log. During a forensic analysis, there are several pieces of information to look for in this log file. Connections made to the host, and from the host are logged with a timestamp, as well as the hostname and TeamViewer ID of both participants. The "presenter role" - or type 3 - is the participant that receives the connection (so the target). Type 6 is for the client participant.

• Target side, the connection will be as followed: a first log CreatePassiveSession will appear at each connection attempt. If the connection attempt is successful and authorised, logs with CPersistentParticipantManager::AddParticipant will show. Then the sessions will be created (SessionStateParticipants::AddParticipant). Finally, SessionTerminate entry will indicate the end of the connection.

  # Connection attempt
  2022/08/22 16:50:52.967  3476  1492 S0   CommandHandlerRouting[19]::CreatePassiveSession(): incoming session via fr-par-anx-r008.router.teamviewer.com, protocol Port443
  [...]
  # Connection successful
  2022/08/22 16:50:59.262  3476  3652 S0   CPersistentParticipantManager::AddParticipant: [1025212365,-305204839] type=3 name=LABWINDOWS
  2022/08/22 16:50:59.262  3476  1492 S0   CPersistentParticipantManager::AddParticipant: [1025538549,505791595] type=6 name=mechant_host
  2022/08/22 16:50:59.262  3476  1492 S0   CPersistentParticipantManager::AddParticipant: [1025212365,-305204839] type=3 name=LABWINDOWS
  [...]
  # The sessions start
  2022/08/22 16:50:59.439  8016  6672 G1   CParticipantManagerBase participant LABWINDOWS (ID [1025212365,-305204839]) was added with the role 3
  2022/08/22 16:50:59.439  8016  6672 G1   New Participant added in CParticipantManager LABWINDOWS ([1025212365,-305204839])
  2022/08/22 16:50:59.440  8016  6672 G1   SessionStateParticipants::AddParticipant: pid: [1025212365,-305204839] and timestamp: 1661179859262 
  2022/08/22 16:50:59.440  8016  6672 G1   DC: Presenter role assigned to [1025212365,-305204839] (LABWINDOWS (1 025 213 073))
  2022/08/22 16:50:59.440  8016  6672 G1   CParticipantManagerBase participant mechant_host (ID [1025538549,505791595]) was added with the role 6
  2022/08/22 16:50:59.440  8016  6672 G1   New Participant added in CParticipantManager mechant_host ([1025538549,505791595])
  2022/08/22 16:50:59.440  8016  6672 G1   SessionStateParticipants::AddParticipant: pid: [1025538549,505791595] and timestamp: 1661266449806 
  2022/08/22 16:50:59.441  8016   992 G1   VoIP: Receiver: Participant channel "mechant_host (1 025 530 624)" [1025538549,505791595]: VoIPBCommandReceiver: Created for session -305204839
  2022/08/22 16:50:59.441  8016   992 G1   VoIP: Receiver: Session -305204839: Channel created for participant [1025538549,505791595] called "mechant_host (1 025 530 624)" [1025538549,505791595]
  [...]
  # The connection ends
  2022/08/22 16:51:09.750  3476  3652 S0   CPersistentParticipantManager::RemoveParticipant: [1025538549,505791595]
  2022/08/22 16:51:09.751  3476  3652 S0   CPersistentParticipantManager::RemoveParticipant: [1025212365,-305204839]
  2022/08/22 16:51:09.751  3476  3652 S0   CStreamManager::ParticipantRemoved: Our own participant was removed, we must terminate our session
  2022/08/22 16:51:09.752  6092  7464 D1   SessionManagerDesktop::SessionTerminate: removing session with tvsessionprotocol::TVSessionID = -305204839

   

• Client side, the connection will be as followed: if the connection attempt is successful and authorised, logs with CPersistentParticipantManager::AddParticipant will show. Then the sessions will be created (SessionStateParticipants::AddParticipant). Finally, TerminateSession entry (unlike SessionTerminate generated on the target) will indicate the end of the connection.

  # The connection is successful
  2022/08/24 15:58:15.531  3476  1492 S0   CPersistentParticipantManager::AddParticipant: [1025538549,350411969] type=3 name=mechant_host
  2022/08/24 15:58:15.531  3476  1492 S0   CParticipantManagerBase participant mechant_host (ID [1025538549,350411969]) was added with the role 3
  2022/08/24 15:58:15.531  3476  1492 S0   CPersistentParticipantManager::AddParticipant: [1025212365,1606481770] type=6 name=LABWINDOWS
  [...]
  # The sessions start
  2022/08/24 15:58:15.687  7548  5760 G1   CParticipantManagerBase participant LABWINDOWS (ID [1025212365,1606481770]) was added with the role 6
  2022/08/24 15:58:15.687  7548  5760 G1   New Participant added in CParticipantManager LABWINDOWS ([1025212365,1606481770])
  2022/08/24 15:58:15.687  7548  5760 G1   SessionStateParticipants::AddParticipant: pid: [1025212365,1606481770] and timestamp: 1661349495469 
  2022/08/24 15:58:15.687  7548  5760 G1   CParticipantManagerBase participant mechant_host (ID [1025538549,350411969]) was added with the role 3
  2022/08/24 15:58:15.687  7548  5760 G1   New Participant added in CParticipantManager mechant_host ([1025538549,350411969])
  2022/08/24 15:58:15.687  7548  5760 G1   SessionStateParticipants::AddParticipant: pid: [1025538549,350411969] and timestamp: 1661349495468 
  2022/08/24 15:58:15.687  7548  7192 G1   VoIP: Receiver: Added session 1606481770. Meeting id is mechant_host (1 025 530 624). Our participant id is "LABWINDOWS (1 025 213 073)" [1025212365,1606481770].
  2022/08/24 15:58:15.687  7548  7192 G1   VoIP: Receiver: Participant channel "mechant_host (1 025 530 624)" [1025538549,350411969]: VoIPBCommandReceiver: Created for session 1606481770
  2022/08/24 15:58:15.687  7548  7192 G1   VoIP: Receiver: Session 1606481770: Channel created for participant [1025538549,350411969] called "mechant_host (1 025 530 624)" [1025538549,350411969]
  2022/08/24 15:58:15.687  7548  5760 G1   DC: Presenter role assigned to [1025538549,350411969] (mechant_host (1 025 530 624))
  [...]
  # The connection ends
  2022/08/24 15:59:31.346  3476  1492 S0   CPersistentParticipantManager::RemoveParticipant: [1025212365,1606481770]
  2022/08/24 15:59:31.346  3476  1492 S0   CStreamManager::ParticipantRemoved: Our own participant was removed, we must terminate our session
  2022/08/24 15:59:31.346  3476  1492 S0   SessionControl::TerminateSession: Session termination reason UserDisconnect
  2022/08/24 15:59:31.351  3476  3652 S0   CPersistentParticipantManager::RemoveParticipant: [1025538549,350411969]

C:\Program Files\TeamViewer\Connections_incoming.txt: generated target side. All successful connections are listed in the Connections_incoming.txt log file. First column reveals the TeamViewer ID of the client (1025538549 in the example below), and the second one reveals its hostname (mechant_host).

1025538549      mechant_host  22-08-2022 14:50:52     22-08-2022 14:51:09     lab     RemoteControl   {5a0ba592-76be-48de-8015-2365251d6520}

C:\Program Files\TeamViewer\TVNetwork.log: this log file contains information about network ports used during a session. It is not really useful from a forensic point of view.

2022/08/22 16:07:51.605  3476  1492  0   Port443(S):[6:6]:  [10]: 2 [40]: 2 [46]: 1 [60]: 65 [63]: 1
2022/08/22 16:07:51.605  3476  1492  0   Port443(R):[6:6]:  [10]: 1 [46]: 1 [54]: 2 [60]: 63
2022/08/22 16:08:01.840  3476  3652  0   Port443(S):[6:6]:  [60]: 2
2022/08/22 16:08:01.840  3476  3652  0   Port443(R):[6:6]:  [60]: 1 [63]: 1
2022/08/22 16:09:02.652  3476  1492  0   Port443(S):[6:6]:  [27]: 1 [60]: 1
2022/08/22 16:09:02.652  3476  1492  0   Port443(R):[6:6]:  [60]: 1 [63]: 1
2022/08/22 16:37:50.749  3476  1492  0   Port443(S):[6:6]:  [46]: 1 [63]: 1

%LOCALAPPDATA%\Temp\TeamViewer\TV15Install.log: this file is used during installation, and does not persist. It can be useful to determine the exact date of installation, the version, and user who triggered it.

2022-08-22-16-06-34  ----------------------------------------------------------------------------------------------------
2022-08-22-16-06-34  Installer:     TeamViewer
2022-08-22-16-06-34  Version:       15.32.3 (JMP-91.4)
2022-08-22-16-06-34  Install mode:  Admin
2022-08-22-16-06-34  Account type:  Admin, UAC supported:1, Elevation:2
2022-08-22-16-06-34  Time:          2022-08-22-16-06-34
2022-08-22-16-06-34  OS-Version:    10.0.19043(64-bit) SP:0, Type:1
2022-08-22-16-06-34  OS-Info:       Server:0 Home server:0
2022-08-22-16-06-34  User-SID:      S-1-5-21-2533520368-341850014-814719393-1001
2022-08-22-16-06-34  Log level:     100 (default)
2022-08-22-16-06-34  ----------------------------------------------------------------------------------------------------

%APPDATA%\TeamViewer\TeamViewer15_Logfile.log: the general log file, only used during installation or when the portable version is used.

HKLM\SOFTWARE\TeamViewer\ConnectionHistory: client side. Registry binary value containing a 16 bytes value.

Artefacts of interest

Network

• router15.teamviewer.com:443

• client.teamviewer.com:443

• taf.teamviewer.com:443

There are many other domains from teamviewer.com. To get more insight about tracks left by TeamViewer on the network, read the article on this topic from Arista Networks8.

Executables

The path of the TeamViewer executables is C:\Program Files\TeamViewer and contains:

• TeamViewer.exe
• TeamViewer_Desktop.exe
• TeamViewer_Service.exe
• tv_w32.exe
• tv_x64.exe

Registry keys and values added during setup

The following registry keys and values are added while installing TeamViewer, so it can be used to prove its presence at some point.

• HKLM\SOFTWARE\TeamViewer\*
• HKLM\SYSTEM\ControlSet001\Services\TeamViewer\*
• HKLM\SYSTEM\CurrentControlSet\Services\TeamViewer\*
• HKU\SID\SOFTWARE\TeamViewer\*
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TeamViewer\*

Registry keys and values added while using TeamViewer

The following registry keys and values are added and modified while using TeamViewer, so it can be used to prove an execution of TeamViewer at some point.

Target side

• HKU\SID\SOFTWARE\TeamViewer\MainWindowHandle
• HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImage
• HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePath
• HKU\SID\SOFTWARE\TeamViewer\DesktopWallpaperSingleImagePosition
• HKU\SID\SOFTWARE\TeamViewer\MinimizeToTray
• HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedCapturingEndpoint
• HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioSendingVolumeV2
• HKU\SID\SOFTWARE\TeamViewer\MultiMedia\AudioUserSelectedRenderingEndpoint

Client side

• HKLM\SOFTWARE\TeamViewer\ConnectionHistory
• HKU\SID\SOFTWARE\TeamViewer\ClientWindow_Mode
• HKU\SID\SOFTWARE\TeamViewer\ClientWindowPositions

Other artefacts

• %LOCALAPPDATA%\TeamViewer\Database\tvchatfilecache.db: SQlite 3 database storing cache about TeamViewer chat
• %LOCALAPPDATA%\TeamViewer\RemotePrinting\tvprint.db: target side. SQlite 3 database storing TeamViewer print jobs
• Mutexes/Sections/Events: TeamViewer_LogMutex, TeamViewerHooks_DynamicMemMutex, TeamViewer3_Win32_Instance_Mutex, ... (TeamViewer*)
• Service Creation 7045:

ImagePath:"C:\\Program Files\\TeamViewer\\TeamViewer_Service.exe"
ServiceName:"TeamViewer"
ServiceType:"service en mode utilisateur"
StartType:"Démarrage automatique"

• Prefetch: C:\Windows\Prefetch\TEAMVIEWER.EXE-[A-F0-9]{8}.pf
• Startup menu: %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\TeamViewer.lnk
• Tracks in BAM, Userassist, Shimcache, AmCache.

Wrap up

From TeamViewer log file TeamViewer15_Logfile.log, it is easy to determine the beginning and the end of a connection, and whether or not it was successful. The way of the connection (target or client) can also be determined. Finally, the hostname and TeamViewer ID of the remote participant can be collected as well.

Moreover, the TeamViewer log file Connections_incoming.txt gives in a single line the connection made to the host, with the remote hostname, its TeamViewer ID, and the date of the connection.

Apart from that, other artefacts detailed in this part can reveal information about the installation date or execution date.

AnyDesk

AnyDesk is a free remote admin tool available on several platforms: Windows, macOS, Android, iOS, Linux, Chrome OS. As TeamViewer, it offers many remote access functionalities.

AnyDesk is part of legitimate admin tools that attackers use to gain remote access on compromised assets and gain persistence. It's regularly mentioned in public threat and investigation reports such as in "The DFIR Report"9 10, and TrendMicro blog11.

The version of AnyDesk analysed in this study is 7.0.14.0.

Means of installation

Anydesk is used as a desktop application. It can be installed on the system, or used as portable.

To determine its installation date, we can check:

• The creation date of C:\Program Files (x86)\AnyDesk (Default path which can be modified during setup phase),
• the last modification date of HKLM\SOFTWARE\Clients\Media\AnyDesk,
• a System.evtx Event ID 7045 log entry, showing the service creation AnyDesk,
• and the last modification date of HKLM\SYSTEM\CurrentControlSet\Services\AnyDesk.

To detect the user who installed AnyDesk, we can check:

• The creation date of %APPDATA%\AnyDesk (if there are several users, pick the earliest one),
• and, since AnyDesk installs by default a printer driver, its setup folder is present in the %APPDATA% folder of the user that triggered the setup: %APPDATA%\AnyDesk\printer_driver.

Moreover, an event log of ID 28115 from Microsoft-Windows-Shell-Core/Operational, indicating the addition of a shortcut to the "App Resolver Cache", allows to determine the date of AnyDesk setup, and the user that triggered it (User SID in the Security:#attributes:UserID field). Event data: "AppID":"prokzult ad","Flags":49,"Name":"AnyDesk"

Logs generated on the file system

%PROGRAMDATA%\AnyDesk\connection_trace.txt. Incoming connection logs12, only generated on target side. The content indicates how the connection was approved (e.g. the local user authorised it, or a password was used). Example:

Incoming 2022-08-23, 10:23 Passwd 547911884 547911884
Incoming 2022-09-28, 12:39 User 442226597 442226597

%APPDATA%\AnyDesk\ad.trace: AnyDesk user interface log file13. In this log file, we can determine the IP address of the other participant and its AnyDesk ID. It is also possible to track events of file transfer. Below is the Client ID and external IP address of the remote participant.

info 2022-09-28 12:39:26.845       lsvc   9952   9944   21                anynet.any_socket - Client-ID: 442226597 (FPR: 8e28a2a25b30).
info 2022-09-28 12:39:26.845       lsvc   9952   9944   21                anynet.any_socket - Logged in from 12.xx.xx.21:59562 on relay 80e496c0. 

There is also another entry that is indicating an IP address, but it is actually the external IP address of the local host. It is followed by an entry indicating the local host Client ID as shown below:

info 2022-09-28 12:38:44.222       lsvc   9952   9944    3                anynet.relay_conn - External address: 34.xx.xx.123:50831.
info 2022-09-28 12:38:44.222       lsvc   9952   9944    3           anynet.main_relay_conn - Main relay ID: 80e496c0
info 2022-09-28 12:38:44.225       lsvc   9952   9944    3           anynet.main_relay_conn - Detected 2 new networks.
info 2022-09-28 12:38:44.228       lsvc   9952   9944    2            anynet.connection_mgr - Main relay connection established.
info 2022-09-28 12:38:44.228       lsvc   9952   9944    2            anynet.connection_mgr - New user data. Client-ID: 294433414.

 Finally, file transfer events will be traced on the source host (the owner of the file). Though the filename is not traced:

info 2022-09-28 12:41:20.001      front   6252    496                      app.prepare_task - Preparing files in 'C:\Users\lab\Downloads'.
info 2022-09-28 12:41:20.001      front   6252    496               app.local_file_transfer - Preparation of 1 files completed (io_ok).

%PROGRAMDATA%\AnyDesk\ad_svc.trace: AnyDesk service log file. As well as ad.trace, we can determine the IP address of the other participant and its AnyDesk ID when a connection is established.

# Local host external IP address and client ID
info 2022-08-23 10:20:11.969       gsvc   4628   3528    3                anynet.relay_conn - External address: 34.xx.xx.123:46798.
info 2022-08-23 10:20:11.969       gsvc   4628   3528    3           anynet.main_relay_conn - Main relay ID: 8d9e4ddf
info 2022-08-23 10:20:11.984       gsvc   4628   3528    1                  fiber.scheduler - Spawning root fiber 18.
info 2022-08-23 10:20:11.984       gsvc   4628   3528    2            anynet.connection_mgr - Main relay connection established.
info 2022-08-23 10:20:11.984       gsvc   4628   3528    2            anynet.connection_mgr - New user data. Client-ID: 609579424.
[...]
# Remote host external IP address and client ID
info 2022-08-23 10:20:17.125       gsvc   4628   3528   23                anynet.any_socket - Client-ID: 547911884 (FPR: 67a8dcc336a1).
info 2022-08-23 10:20:17.125       gsvc   4628   3528   23                anynet.any_socket - Logged in from 12.xx.xx.21:41314 on relay ad3345a7.

%APPDATA%\AnyDesk\chat\*.txt. If the chat functionality is used, its entries will be printed in a text file in this folder.

------ 2 ------
john.doe: bonjour
Moi: bonsoir
john.doe: au revoir

Several configuration files: %APPDATA%\AnyDesk\user.conf, %APPDATA%\AnyDesk\system.conf, %APPDATA%\AnyDesk\service.conf, %PROGRAMDATA%\AnyDesk\service.conf, %PROGRAMDATA%\AnyDesk\system.conf.

• system.conf and user.conf contains configuration variables used by AnyDesk. On the client side (connection from the host),  the variable ad.session.remote_browser_start_path indicates the default path on target side to upload or download files using AnyDesk. The path will usually contain the user folder, indicating a username:

  [...]
  ad.session.follow_remote_focus=294422414:0
  # This is the client path
  ad.session.local_browser_start_path=294422414:C*\\Users\\lab\\Downloads
  ad.session.local_file_sort_order=294422414:33
  # This is the target path
  ad.session.remote_browser_start_path=294422414:C*\\Users\\john.doe\\Documents
  ad.session.remote_file_sort_order=294422414:33
  ad.session.show_keyboard=294422414:false
  [...]

   

• If a password is set, its hash and salt will be added to %PROGRAMDATA%\AnyDesk\service.conf, also containing a certificate and a private key. Example:

  ad.anynet.cert=-----BEGIN CERTIFICATE-----\\nMIICqDCCA...mOi\\n-----END CERTIFICATE-----\\n
  ad.anynet.pkey=-----BEGIN PRIVATE KEY-----\\nMIIEvgIBA...aum\\n-----END PRIVATE KEY-----\\n
  ad.anynet.pwd_hash=5344a7a23b2abb6314c0fa0ae9e20339a62814b7c2fa494b49c897ad63c0d7c9
  ad.anynet.pwd_salt=81279b158b9f3e2e697baef91f35b35b
  
  ad.anynet.cert=-----BEGIN CERTIFICATE-----\\nMIICqDCCA...mOi\\n-----END CERTIFICATE-----\\n
  ad.anynet.pkey=-----BEGIN PRIVATE KEY-----\\nMIIEvgIBA...aum\\n-----END PRIVATE KEY-----\\n
  ad.anynet.pwd_hash=5344a7a23b2abb6314c0fa0ae9e20339a62814b7c2fa494b49c897ad63c0d7c9
  ad.anynet.pwd_salt=81279b158b9f3e2e697baef91f35b35b

   

NB: If a password is configured, the local interaction (with a user) is no longer needed, and the connection is automatically validated.

Artefacts of interest

Network

• At setup: boot.net.anydesk.com:443
• At use: relay-[a-f0-9]{8}.net.anydesk.com:443 (e.g. relay-ad3345a7.net.anydesk.com:443, relay-8d9e4ddf.net.anydesk.com:443)

Executables

Main executable: C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Logs, Registry keys and values added during setup

The following logs, registry keys and values are added while installing AnyDesk, so it can be used to prove its presence at some point.

• HKLM\SOFTWARE\Clients\Media\AnyDesk
• HKLM\SOFTWARE\Classes\.anydesk\shell\open\command
• HKLM\SOFTWARE\Classes\AnyDesk\shell\open\command
• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\AnyDesk Printer\*
• HKLM\DRIVERS\DriverDatabase\DeviceIds\USBPRINT\AnyDesk and HKLM\DRIVERS\DriverDatabase\DeviceIds\WSDPRINT\AnyDesk
• HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\AnyDesk
• HKLM\SYSTEM\ControlSet001\Services\AnyDesk

If the printer driver was installed (embedded by default), logs are generated on C:\Windows\inf\setupapi.dev.log:

cmd: "C:\\Windows\\System32\\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "%APPDATA%\\AnyDesk\\printer\_driver\\AnyDeskPrintDriver.inf" /r "AD\_Port" /m "AnyDesk v4 Printer Driver"

cmd: "C:\\Windows\\System32\\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "%APPDATA%\\AnyDesk\\printer\_driver\\AnyDeskPrintDriver.inf" /r "AD\_Port" /m "AnyDesk v4 Printer Driver"

As well as in the EVTX file Microsoft-Windows-DeviceSetupManager/Admin.evtx, event ID 112:

"Prop\_ContainerId":"4AB05252-BFD6-C6E9-7D0E-58FBD6159485","Prop\_DeviceName":"AnyDesk Printer","Prop\_PropertyCount":42,"Prop\_TaskCount":4,"Prop\_WorkTime\_MilliSeconds":46

"Prop\_ContainerId":"4AB05252-BFD6-C6E9-7D0E-58FBD6159485","Prop\_DeviceName":"AnyDesk Printer","Prop\_PropertyCount":42,"Prop\_TaskCount":4,"Prop\_WorkTime\_MilliSeconds":46

Other artefacts

• Service Creation 7045:

  ImagePath:"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe" --service
  ServiceName:"AnyDesk Service"
  ServiceType:"service en mode utilisateur",
  StartType:"Démarrage automatique"

• Prefetch: \Windows\Prefetch\ANYDESK.EXE-[A-F0-9]{8}.pf
• Startup: %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\StartUp\AnyDesk.lnk
• Startup Uninstall: %PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\AnyDesk\Uninstall AnyDesk.lnk
• Tracks in BAM, Userassist, Shimcache, AmCache, JumpList.

Wrap up

From AnyDesk log file Connection_trace.txt, incoming requests can be determined. Timestamps found in this file can be used to spot the beginning of a new session in ad.trace and ad_svc.trace log files.

From ad.tracead_svc.trace log files, we can determine the IP address and the Client ID of the remote host. Moreover, events of downloaded files will be found in ad.trace.

Finally, there are configurations files such as user.conf and other artefacts detailed in this part that can reveal remote participant username, installation date, or execution proof.

Atera and SplashTop

Atera is a remote administration platform. It allows handling multiple devices. The client side looks like a neat C2 panel 😉. We can get the state of the controlled device, execute scripts and interactive commands (e.g. for windows, cmd and Powershell), modify the registry, start and stop services, as well as transfer files. By default, the Atera installer embeds SplashTop, a remote desktop admin tool (like TeamViewer and AnyDesk). Otherwise, Atera also integrates with TeamViewer, AnyDesk, and ScreenConnect (or ConnectWise), to open a remote desktop.

Atera and SplashTop are part of remote admin tools used by threat actors to obtain remote access to compromised devices, and to deploy next stages of malicious code: Cobalt Strike14, Mimikatz, ransomware…  The use of Atera by the ransomware actor Conti has been described in several articles15.

The version of Atera Agent analysed in this study is 1.8.3.1. The version of SplashTop analysed in this study is 3.52.1.42.

Means of installation

Atera is a SaaS application. The client needs to create an account on Atera web platform. Then the client has its own space and can register devices. An agent is installed on the target as a Windows service using a preconfigured MSI package, downloadable from the web console of the client. SplashTop is also installed by Atera on the target device.

To determine Atera's installation date, we can check:

• The creation date of C:\Program Files\Atera Networks et C:\Program Files (x86)\Atera Networks,
• the last modification date of HKLM\SOFTWARE\ATERA Networks\AlphaAgent,
• a System.evtx Event ID 7045 log entry, showing the service creation AteraAgent,
• and the last modification date of HKLM\SYSTEM\CurrentControlSet\Services\AteraAgent,
• a Application.evtx Event ID 11707 indicating the installation from MsiInstaller: "Product: AteraAgent -- Installation completed successfully.". The user that installed it is specified in UserID field.

To determine SplashTop's installation date, we can check:

• The creation date of C:\Program Files (x86)\Splashtop,
• the last modification date of HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.,
• the last modification date of the Uninstall entry of SplashTop HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater,
• a System.evtx Event ID 7045 log entry, showing the service creation SplashtopRemoteService,
• and the last modification date of HKLM\SYSTEM\CurrentControlSet\Services\SplashtopRemoteService.

Logs generated on the filesystem

Atera logs

Atera service generates events directly in Application.evtx. Indeed, two entries are added to EventLogs service in Application channel:

• HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\AlphaAgent and HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\AteraAgent

Moreover, some packages from Atera such as "AgentPackageRunCommandInteractive" and "AgentPackageInternalPooler", produce log files named "log.txt" in their own folders. "AgentPackageRunCommandInteractive" is forensically interesting because it logs remote interactive commands (see below) that have been executed from Atera client. "AgentPackageInternalPooler" logs Atera internal events and does not have much interest.

C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\log.txt:

01/09/2022 11:26:42 initialWorkingDirectory: undefined
01/09/2022 11:27:21 initialWorkingDirectory: undefined
01/09/2022 11:27:21 WorkingDirectory C:\\Windows\\system32
01/09/2022 11:27:21 version 5.1.19041.1
01/09/2022 11:27:21 GetPsVersion Version: 5.1.19041.1
01/09/2022 11:27:21 After Start
01/09/2022 11:27:21 After ConvertStreamToLines
01/09/2022 11:27:22 readBytesLength - 157
01/09/2022 11:27:22 ReadStreamOutputAndWrite Message: Windows PowerShell
Copyright (C) Microsoft Corporation. Tous droits réservés.

Testez le nouveau système multiplateforme PowerShell https://aka.ms/pscore6
01/09/2022 11:27:22 readBytesLength - 4
01/09/2022 11:27:22 ReadStreamOutputAndWrite Message:

01/09/2022 11:27:43 readBytesLength - 24
01/09/2022 11:27:43 ReadStreamOutputAndWrite Message: PS C:\\Windows\\system32>
01/09/2022 11:27:48 Command: whoami
01/09/2022 11:27:48 readBytesLength - 1
01/09/2022 11:27:48 ReadStreamOutputAndWrite Message: w
01/09/2022 11:27:48 readBytesLength - 7
01/09/2022 11:27:48 ReadStreamOutputAndWrite Message: hoami

01/09/2022 11:27:48 readBytesLength - 45
01/09/2022 11:27:48 ReadStreamOutputAndWrite Message: autorite nt\\système
PS C:\\Windows\\system32>
01/09/2022 11:27:56 Command: cd C:\\Users\\lab
01/09/2022 11:27:56 readBytesLength - 1
01/09/2022 11:27:56 ReadStreamOutputAndWrite Message: c
01/09/2022 11:27:56 readBytesLength - 16
01/09/2022 11:27:56 ReadStreamOutputAndWrite Message: d C:\\Users\\lab

01/09/2022 11:27:57 readBytesLength - 17
01/09/2022 11:27:57 ReadStreamOutputAndWrite Message: PS C:\\Users\\lab>
01/09/2022 11:27:59 Command: cd Desktop
01/09/2022 11:27:59 readBytesLength - 1
01/09/2022 11:27:59 ReadStreamOutputAndWrite Message: c
01/09/2022 11:27:59 readBytesLength - 36
01/09/2022 11:27:59 ReadStreamOutputAndWrite Message: d Desktop
PS C:\\Users\\lab\\Desktop>
01/09/2022 11:28:01 Command: dir
01/09/2022 11:28:01 readBytesLength - 1
01/09/2022 11:28:01 ReadStreamOutputAndWrite Message: d
01/09/2022 11:28:01 readBytesLength - 4
01/09/2022 11:28:01 ReadStreamOutputAndWrite Message: ir

01/09/2022 11:28:01 readBytesLength - 2
01/09/2022 11:28:01 ReadStreamOutputAndWrite Message:

01/09/2022 11:28:01 readBytesLength - 679
01/09/2022 11:28:01 ReadStreamOutputAndWrite Message:
Répertoire : C:\\Users\\lab\\Desktop

Mode LastWriteTime Length Name

* * *

-a---- 31/08/2022 10:05 2352 Microsoft Edge.lnk
-a---- 31/08/2022 12:17 1303 example.txt

Some Atera packages may be missing from this analysis. A good reminder is to check the content of folders in C:\Program Files\ATERA Networks\AteraAgent\Packages.

If the logging of Windows Security event "A new process has been created" (event ID 4688) is enabled, it is possible to detect scripts executed on the target, from Atera client, as well as transferred files. AgentPackageFileExplorer package is responsible for performing those tasks.

• Command line logged for a file transfer:

  C:\\Program Files\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageFileExplorer\\AgentPackageFileExplorer.exe c8ff39a4-4c23-4541-8748-779f8ca8a515 de36045b-7325-48b1-91c3-59ba2ed0ff73 agent-api.atera.com/Production 443 or8ixLi90Mf eyJDb21tYW5kIjoiRG93bmxvYWQiLCJQYXRoIjoiQ29tcHV0ZXJcXEM6XFxVc2Vyc1xcbGFiXFxEZXNrdG9wIiwiTmFtZSI6InJhbnNvbXdhcmUuZXhlIiwiVmFsdWUiOiJodHRwczovL3RpY2tldGluZ2l0ZW1zc3RvcmVldS5ibG9iLmNvcmUud2luZG93cy5uZXQvYWdlbnRmaWxldHJhbnNmZXIvMDAxM3owMDAwMnJBemZJQkFTL2I0NzQwNDk2LWQ3YjItNGI2Yi1iYjM4LWJlNmU0Yzg3MzA5NS9yYW5zb213YXJlLmV4ZT9zdj0yMDE3LTA0LTE3JnNyPWImc2lnPWF2NmVsbHZaQWowRzdaWVhOclh4S2xacU5NaGlIb0NJSUo5YkExTURsQ3clM0Qmc2U9MjAyMi0wOS0wMVQxMCUzQTQ0JTNBMzhaJnNwPXJjdyIsIlR5cGUiOm51bGx9

   

  • Once decoded, the base64 encoded argument gives:

    {"Command":"Download","Path":"Computer\\C:\\Users\\lab\\Desktop","Name":"ransomware.exe","Value":"https://ticketingitemsstoreeu.blob.core.windows.net/agentfiletransfer/0013z00002rAzfIBAS/b4740496-d7b2-4b6b-bb38-be6e4c873095/ransomware.exe?sv=2017-04-17&sr=b&sig=av6ellvZAj0G7ZYXNrXxKlZqNMhiHoCIIJ9bA1MDlCw%3D&se=2022-09-01T10%3A44%3A38Z&sp=rcw","Type":null}

     

• Command line for a script execution:

  C:\\Windows\\system32\\cmd.exe /c C:\\Windows\\TEMP\\e5e82236-ba45-4b01-9a20-5de19efdb4d9_perdu.bat

   

SplashTop logs

SplashRemoteService service adds two new WinEVT channels:

• Splashtop-Splashtop Streamer-Remote Session/Operational: from this EVTX file, we can determine events such as remote session creation, and file transfer. In these events, we can also find the client hostname which could be useful during an investigation. Example:

  A file was transferred during the Splashtop remote session (1018449597).
  App version: 3.5.2.1
  File name: mechant.7z
  From: mechant_host (N/A)
  To: LABWINDOWS (C:\\Users\\lab\\Desktop)

   

• Splashtop-Splashtop Streamer-Status/Operational: this EVTX tracks events related to service status. Example:

  Splashtop streamer went online.
  App version: 3.5.2.1
  Server Info: st-v3-univ-srs-win-3521-g3.api.splashtop.com
  RMM ID: hZCDFPhK75mJ

   

In addition, SplashTop generates various interesting log files:

• %PROGRAMDATA%\Splashtop\Temp\log\FTCLog.txt: tracks file transfers. Moreover, the log entry shows the user account and IP address of the client.

  2022-09-01 11:42:14 C:\\Users\\lab\\Desktop\\mechant.7z 0.0 KB Upload Completed john doe (123.231.123.231)

   

• C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\agent_log.txt: this one is kind of a debug log file of the SplashTop agent.

• C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\SPLog.txt: SPLog.txt contains general logs of the agent. When a connection starts, the hostname, the user display name, and the IP address of the client is logged. We also find SplashTop relay server, file transfer events, and the use of the chat functionality.

  <1>Sep  1 11:40:53 [SM_04020]:[Auth-L] ok, client (mechant_host) can connect to AV server
  <1>Sep  1 11:40:53 [SM_04020]:[CoreMgr] ackWithJson enable [*]
  <1>Sep  1 11:40:53 [SM_04020]:[CoreMgr] disp name john doe
  [...]
  <1>Sep  1 11:40:58 [AP_07144]:[Banner] Got notification from SRM. w:7111, l:0
  <1>Sep  1 11:40:58 [AP_07144]:[Banner] Reg show banner:0
  <1>Sep  1 11:40:58 [AP_07144]:[Banner] Got client 1 public IP 123.231.123.231
  [...]
  <1>Sep  1 11:42:12 [SM_04020]:[FTC] handle FTC start
  <1>Sep  1 11:42:12 [SM_04020]:[File] FileStreamSendDataHandler run start
  <1>Sep  1 11:42:12 [SM_04020]:[FTC] UploadRequest, fileID[289614100], filePath[C:\Users\lab\Desktop\mechant.7z], compresstyee[1]
  <1>Sep  1 11:42:12 [SM_04020]:[CCloudFileTaskManager::OnUploadRequest] CCloudFileTaskManager::OnUploadRequest(1, 1, ...)=>{"fileID":"289614100","fileName":"mechant.7z","fileSize":"1885074","fullPath":"C:\\Users\\lab\\Desktop\\mechant.7z","remotesessionFTC":1,"request":"uploadFile"}
  [...]
  <1>Sep  1 11:44:18 [CT_06340]:[Chat] User want to save logs
  <1>Sep  1 11:44:36 [CT_06340]:[Chat] Begin to write text file to C:\Users\lab\Desktop\Splashtop_Chat_20220901_1144.txt, lines:7
  <1>Sep  1 11:44:36 [CT_06340]:[Chat] File::C:\Users\lab\Desktop\Splashtop_Chat_20220901_1144.txt save successfully
  <1>Sep  1 11:44:36 [CT_06340]:[Chat] --- SRChat End ---
  <1>Sep  1 11:44:37 [CT_06340]:[Chat] No live wnd, close process

   

• C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\svcinfo.txt and C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\log\sysinfo.txt do not have much interest for the forensic analysis. They log internal events of the agent.

Finally, if the chat functionality is used, the chat window asks the user if they want to save the chat logs on the file system. By default, the filename format looks like "Splashtop_Chat_20220901_1144.txt". The username of both participants are also displayed.

[11:41] La session de chat a commencé.
[11:41] john doe a rejoint la session de chat.
[11:41] john doe: chat?
[11:41] lab: oui
[11:42] john doe a quitté la session de chat.
[11:42] La session de chat a été fermée.

Artefacts of interest

Network

Atera16:

• pubsub.atera.com
• pubsub.pubnub.com
• agentreporting.atera.com
• getalphacontrol.com
• app.atera.com
• agenthb.atera.com
• packagesstore.blob.core.windows.net
• ps.pndsn.com
• agent-api.atera.com
• cacerts.thawte.com
• agentreportingstore.blob.core.windows.net
• atera-agent-heartbeat.servicebus.windows.net
• ps.atera.com
• atera.pubnubapi.com
• appcdn.atera.com

SplashTop: *.splashtop.com (api.splashtop.com, relay.splashtop.com)

Executables

• Atera Service: C:\Program Files\ATERA Networks\AteraAgent\AteraAgent.exe, C:\Program Files\Atera Networks\AlphaAgent.exe
• Atera uses "Packages" modules to execute remote actions on the target. Example:
  • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageSTRemote\AgentPackageSTRemote.exe
  • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageMonitoring\AgentPackageMonitoring.exe
  • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageHeartbeat\AgentPackageHeartbeat.exe
  • C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageFileExplorer\AgentPackageFileExplorer.exe
  • and C:\Program Files\ATERA Networks\AteraAgent\Packages\AgentPackageRunCommandInteractive\AgentPackageRunCommandInteractive.exe
• Splashtop Remote Service: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRService.exe
• SplashTop Remote Agent: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRAgent.exe
• Splashtop Updater: C:\Program Files (x86)\Splashtop\Splashtop Software Updater\SSUAgent.exe
• Splashtop other executables: C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRUtility.exe, C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\SRFeature.exe

Registry keys and values added during setup

Atera

The following registry keys and values are added while installing Atera, so it can be used to prove its presence at some point.

• HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASAPI32
• HKLM\SOFTWARE\Microsoft\Tracing\AteraAgent_RASMANCS
• HKLM\SOFTWARE\ATERA Networks\*
• HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\AlphaAgent
• HKLM\SYSTEM\ControlSet001\Services\EventLog\Application\AteraAgent
• HKLM\SYSTEM\ControlSet001\Services\AteraAgent

SplashTop

The following registry keys and values are added while installing SplashTop, so it can be used to prove its presence at some point.

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop Streamer-Remote Session/Operational
• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Splashtop-Splashtop Streamer-Status/Operational
• HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater
• HKLM\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\Splashtop Software Updater\InstallRefCount
• HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\*
• HKLM\SYSTEM\ControlSet001\Control\SafeBoot\Network\SplashtopRemoteService
• HKLM\SYSTEM\ControlSet001\Services\SplashtopRemoteService
• HKU\.DEFAULT\Software\Splashtop Inc.\*
• HKU\SID\Software\Splashtop Inc.\*

Registry keys and values added while using SplashTop

The following registry keys and values are added and modified while using SplashTop, so it can be used to prove an execution of TeamViewer at some point.

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Splashtop PDF Remote Printer

• HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\*

The ClientInfo registry key specified above is interesting and gives information about the last connected client. The device name of the client, the client display name, and other information are also indicated. During my research, some values were empty, but they might give useful pieces of evidence as well. See below the values created under the key ClientInfo:

HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\DeviceName: "mechant_host"
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\DeviceID: "5"
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\AppName: "STR"
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\Client_DisplayName: "john doe"
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\UDID: "8629d66d5885f8a4c962851317a240be7ab3057d"
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\Update: 0x00000001
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\BundleID: ""
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\UserAccount: ""
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\OEMID: ""
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\AppVersion: "3.4.6.1"
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\UpsellInfo: ""
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\ExtraID: ""
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\Client_SPID: ""
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\AbwMode: "1stFrame"
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\AbwConnType: 0x00000000
HKLM\SOFTWARE\WOW6432Node\Splashtop Inc.\Splashtop Remote Server\ClientInfo\AbwProfiles: "0"

Other artefacts

Atera Service Creation EventID 7045 System:

ImagePath:"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\AteraAgent.exe"
ServiceName:"AteraAgent"
ServiceType:"service en mode utilisateur"
StartType:"Démarrage automatique"

Atera Package Manager Service Creation EventID 7045 System:

ImagePath:"C:\\Program Files (x86)\\ATERA Networks\\AteraAgent\\Packages\\AgentPackageMonitoring\\OpenHardwareMonitorLib.sys"
ServiceName:"WinRing0_1_2_0"
ServiceType:"pilote en mode noyau"
StartType:"Démarrage à la demande"

SplashTop Update Service Creation 7045 System:

ImagePath:"C:\\Program Files (x86)\\Splashtop\\Splashtop Software Updater\\SSUService.exe"
ServiceName:"Splashtop Software Updater Service"
ServiceType:"service en mode utilisateur"
StartType:"Démarrage automatique"

SplashTop Streamer Service Creation 7045 System:

ImagePath:"C:\\Program Files (x86)\\Splashtop\\Splashtop Remote\\Server\\SRService.exe"
ServiceName:"Splashtop® Remote Service"
ServiceType:"service en mode utilisateur"
StartType:"Démarrage automatique"

Prefetch: \Windows\Prefetch\ATERAAGENT.EXE-[A-F0-9]{8}.pf

SplashTop has two encrypted sqlite3 databases:

• C:\Program Files (x86)\Splashtop\Splashtop Remote\Server\db\SRAgent.sqlite3,
• and one in %PROGRAMDATA%\Splashtop\Splashtop Remote Server\Credential\ with a random alphanumeric filename. In addition, private and public keys are found in %PROGRAMDATA%\Splashtop\Splashtop Remote Server\Credential: SDCredPubKey, SDCredPriKey, and SDValidationKey.
• After some reverse engineering of SRAgent.exe encryption routines, the decrypted sqlite3 databases mostly reveal information about the host itself such as the installed Windows update packages.

Tracks in BAM, Userassist, Shimcache, AmCache, JumpList.

Wrap up

Atera executes packages in order to perform some actions: interactive command execution, script execution, and file transfer. Some packages leave log.txt files containing information about the performed actions. AgentPackageRunCommandInteractive package log file traces the input and output of remotely executed commands from Atera client. AgentPackageFileExplorer package does not seem to produce log.txt file, but it is responsible for executing remote scripts, and transferring files. If the 4688 Security event is logged, traces of those tasks will be found in the command line of the AgentPackageFileExplorer executable. Atera does not give much information about the remote host, probably because it's a SaaS application.

SplashTop, the remote desktop tool installed by Atera, is more verbose on this matter. First, two EVTX channels are created: Splashtop-Splashtop Streamer-Remote Session/Operational and Splashtop-Splashtop Streamer-Status/Operational. The first one traces events such as remote session creation and file transfer, where the hostname of the remote host can be determined. The FTCLog.txt log file also tracks file transfer. In addition, the log entry can give us the user display name and the external IP address of the remote participant. Finally, SPLog.txt log file really is the cherry on the cake of incident responders: it logs the beginning and the end of connections, the hostname, the user display name, and the IP address of the remote host, file transfer as well as chat events.

Conclusion

As shown in recent investigation reports, "legitimate RATs" are becoming popular among threat actors. They are not considered suspicious by host detection products and provide a comfortable set of features for the attackers. Moreover, the tools presented in this article use relay servers to make the connection, giving an advantage to the attacker wishing to cover its tracks. However, these remote access tools are not meant to be furtive, and leave traces that can reveal evidence of an intrusion: period of connection, execution of command, file transfer, hostname and username of the attacker as well as its own public IP address. Therefore, efforts should be made by incident responders and SOC analysts to know these details and wonder if the use of such a tool really was legitimate.

• 1. https://twitter.com/IcsNick/status/1557747197982248960
• 2. https://www.huntandhackett.com/blog/revil-the-usage-of-legitimate-remot…
• 3. https://www.bleepingcomputer.com/news/security/screenconnect-msp-softwa…
• 4. https://malpedia.caad.fkie.fraunhofer.de/actor/teamspy_crew
• 5. https://community.spiceworks.com/topic/1923648-shade-a-ransomware-that-…
• 6. https://www.bleepingcomputer.com/news/security/surprise-ransomware-inst…
• 7. https://community.teamviewer.com/English/kb/articles/108789-log-file-re…
• 8. https://aristanetworks.force.com/AristaCommunity/s/article/Security-Ana…
• 9. https://thedfirreport.com/2021/10/04/bazarloader-and-the-conti-leaks/
• 10. https://thedfirreport.com/2022/08/08/bumblebee-roasts-its-way-to-domain…
• 11. https://www.trendmicro.com/en_us/research/18/e/legitimate-application-a…
• 12. https://hatsoffsecurity.com/2022/02/28/anydesk-forensic-analysis-and-ar…
• 13. https://support.anydesk.com/knowledge/trace-files
• 14. https://news.sophos.com/en-us/2022/01/19/zloader-installs-remote-access…
• 15. https://thedfirreport.com/2022/04/04/stolen-images-campaign-ends-in-con…
• 16. https://support.atera.com/hc/en-us/articles/215955967-Troubleshoot-the-…-