Quantcast
Channel: Forensic Focus Forums - Recent Topics
Viewing all articles
Browse latest Browse all 20110

General Discussion: Strange startup traffic

$
0
0
I have detected an inusual network traffic in PC's startup. With a wireshark capture you see after the user introduces his password, the Windows XP Client connecting to remote registry of the domain controller and trying to set or query some registry keys related to terminal services. In brief, Client->Domain Controler: Open Query HKLM \SYSTEM \CurrentControlSet \Control \Terminal Server\DeafultConfiguration and followed by the secuence: Client->Domain Controller: QueryValue request fInheritAutologon Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritResetBroken Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritReconnectSame Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritInitialProgram Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritCallBack Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritCallBackNumber Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritShadow Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritMaxSessionTime Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritMaxDesconectionTime Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritMaxIdleTime Domain controller-Client: QueryValue response Client->Domain Controller: QueryValue request fInheritAutoclient Domain controller-Client: QueryValue response Error: WERR_BADFILE Client->Domain Controller: QueryValue request fInheritSecurity Domain controller-Client: QueryValue response Error: WERR_BADFILE Client->Domain Controller: QueryValue request fInheritColorDepth Domain controller-Client: QueryValue response Error: WERR_BADFILE Client->Domain Controller: QueryValue request fpromptforpassword Domain controller-Client: QueryValue response and there are more keys being consulted . Another hive that is consulted in the same trace is useroverride\Control Panel\Desktop with other keys. This traffic is produced after the default domain policy is applied but we don´t have any configuration for terminal server in this policy. Until I know this is not normal because PC clients in a domain don´t try to configure the terminal service. We only have the execution of a script in netlogon folder to map three server folder (department documents, public and user) and certain policies that after are applied. I have seen this traffic in certain PCs but in others are different. Do you think that someone has changed the default policy and is applying for certain PCs? Is some type of malware? Is a driver service installed by someone? I am lost with this problem but the user has to wait a lot of time to have the Pc opperative in the startup.

Viewing all articles
Browse latest Browse all 20110

Trending Articles