Closed mrleepk closed 1 week ago
Hey @mrleepk 👋 thanks for the contribution. Can you please provide evidence of this? Maybe a link to docs or a blog post talking about this, or even screenshots from your own lab.
Thanks in advance.
Hey @nasbench - I'm now thinking this may be due to version differences as I also see a trace file I had not before, "file_transfer_trace.txt". I'll cancel this merge and do some more testing, but here are screenshots from my lab:
Take a look at the ref https://www.synacktiv.com/publications/legitimate-rats-a-comprehensive-forensic-analysis-of-the-usual-suspects.html I also think it's a version thing.
Thanks.
Updated the connection_trace.txt information as it incorrectly stated that the remote IP address would be shown in this log. Only the remote ID is shown in this file. Also updated it to show the additional two entries that may be visible, REJECTED and Token. Also, removed the entries regarding the connection_trace.txt being in the %APPDAATA% folder as it is only in the %PROGRAMDATA% directory.