April 23, 2021

What’s this guy up to?

Today I received an alert from a certain special piece of cybersecurity software regarding an anomolous outbound RDP connection.

Upon further investigation – it was an officer from our police dept RDPing to his home computer (lol he ported thru 3389). He was using dynamic DNS address with his name in the subdomain.

For the past week this has happened once per shift, and every time almost the same amount of data. It has happened on 5 different computers in the lab.

In total, 8mb out, 400mb in. Initially, I thought he was exfiltrating data, but that doesn’t make sense, not much data has gone out.

I thought maybe he was bypassing the firewall, but its odd the same amount of data is transferred each time. There is a weird pattern. At first I thought it was a script but I’ve confirmed he has been physically at the PC for all these occurances.

So I blocked 3389 and am waiting to see what happens tonight. Maybe Ill get a ticket from him. Regardless, that should have been done a while ago.

Any ideas? What’s he doing?

I’m gonna have a discussion with his supervisor Monday regardless, its a clear AUP violation. And, I’m hopeful / confident there was no malicious intent. But this is odd…

Comments

LobsterMelodica

downloading a video or music that he wants to have during his shift. maybe a video game installer. something like that. i used to grab music from my homebox over ssh from an old job lol.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: By filling this form and submitting your commen, you acknowledge, agree and comply with our terms of service. In addition you acknowledge that you are willingly sharing your email address with AiOWikis and you might receive notification emails from AiOWikis for comment notifications. AiOWiksi guarantees that your email address WILL NOT be used for advertisement or email marketting purposes.

This site uses Akismet to reduce spam. Learn how your comment data is processed.