Today I received an alert from a certain special piece of cybersecurity software regarding an anomolous outbound RDP connection.
Upon further investigation – it was an officer from our police dept RDPing to his home computer (lol he ported thru 3389). He was using dynamic DNS address with his name in the subdomain.
For the past week this has happened once per shift, and every time almost the same amount of data. It has happened on 5 different computers in the lab.
In total, 8mb out, 400mb in. Initially, I thought he was exfiltrating data, but that doesn’t make sense, not much data has gone out.
I thought maybe he was bypassing the firewall, but its odd the same amount of data is transferred each time. There is a weird pattern. At first I thought it was a script but I’ve confirmed he has been physically at the PC for all these occurances.
So I blocked 3389 and am waiting to see what happens tonight. Maybe Ill get a ticket from him. Regardless, that should have been done a while ago.
Any ideas? What’s he doing?
I’m gonna have a discussion with his supervisor Monday regardless, its a clear AUP violation. And, I’m hopeful / confident there was no malicious intent. But this is odd…