Splashtop
Once an initial foothold has been established within a compromised network or device, threat actors try to maintain long-term persistence. One way of achieving this is by using third-party remote access solutions.
One of the third-party remote access solutions of choice recently has been Splashtop.
So, what is Splashtop? I did what every nerd's doing at the moment and asked ChatGPT:
How do Threat Actors use Splashtop?
To connect a machine in Splashtop, the Threat Actor must deploy a Splashtop package on a victim's machine. These packages are baked with a unique package code:
Here is an example where we are sending and receiving files from an endpoint:
Event Logs of interest
Once the Splashtop application has been installed, by default, create logs which reside in the Windows Event Logs.
**Remember to add these to your DFIR collection tools**
%SystemRoot%\System32\Winevt\Logs\Splashtop-Splashtop Streamer-Remote Session%4Operational.evtx
%SystemRoot%\System32\Winevt\Logs\Splashtop-Splashtop Streamer-Status%4Operational.evtx
SplashTop Streamer Client was added to a Splashtop team
Event ID: 200
Event Log: Splashtop-Splashtop Streamer-Status/Operational
DFIR Notes: You can see the email account associated with the Splashtop account once it has been added to the threat actors' computers list within the Splashtop console.
Splashtop Streamer connection was initiated to the endpoint.
Event ID: 300
Event Log: Splashtop-Splashtop Streamer-Status/Operational
DFIR Notes: From testing, it looks to be once a connection has been initiated from the threat actor to the victim endpoint. If there is RMM integration, this ID is also present.
Splashtop remote session has been started.
Event ID: 1000
Event Log: Splashtop-Splashtop Streamer-Remote Session/Operational
DFIR Notes: Splashtop session ID, registered email address and threat actor's hostname are located within this event log.
A file has been transferred.
Event ID: 1101
Event Log: Splashtop-Splashtop Streamer-Remote Session/Operational
DFIR Notes: The Splashtop session ID, file which has been copied, threat actors' host name and the victims' endpoint directory location are all logged within this event log.
A file has been exfiltrated.
Event ID: 1100
Event Log: Splashtop-Splashtop Streamer-Remote Session/Operational
DFIR Notes: The Splashtop session ID, the file which has been exfiltrated and its location and the threat actors' host name are all logged within this event log.
Splashtop Streamer was installed as a service.
Event ID: 7045
Event Log: System
Splashtop remote session ended.
Event ID: 1001
Event Log: Splashtop-Splashtop Streamer-Remote/Session
DFIR Notes: The Splashtop session has ended, showing the session ID for tracking and the length of time.
Files of Interest
If you can recover the binary used for the installation of Splashtop, you can review the strings and obtain the unique 12-digit streamer code which is required on installation, this might assist you in reporting fraudulent activity if reported to Splashtop's Responsible Disclosure program [untested].
This log contains lots of useful forensic artifacts, much like the Windows Event Logs produced above.
A string search was performed to find interesting artifacts:
- "Got client 1 spid" -- Find potential threat actor email
- "Got client 1 public IP" -- Find the public IP address of the threat actor device
- "OnUploadRequest" -- Threat actor uploading a file to a victim's device
- "DownloadRequest" -- Threat actor downloading files from a victim's device
Log Location: C:\Program Data\Splashtop\Temp\log\FTCLog.txt
This log contains lots of useful forensic artifacts relating to the uploaded and downloaded files from the client endpoint.
Soz its small!
Conclusion
What a powerful remote access tool! Hopefully, some of this information has been useful to you to understand the product or in your DFIR investigation :)