Computer on my network has been RATed. What do i do now?

Hi, I’m working IT at at school and one of my teachers has described that their computer has been compromised to give remote control access. I’ve removed it from the network and am letting the anti-virus scan but I’m wondering what I should do if the anti-virus fails to find anything. What should my next steps be?

You are working IT for a school and this is the first time you think about what to do, if the Inevitable situation arises, that someone has malware? Do you have any vulnerable software running, Citrix, Active Directory, Outlook?

We have Active Directory

It is certainly a target, and it gets compromised on a regular basis. How often is it receiving security patches?

It receives the regularly scheduled security patches

Is the schedule longer than a week?

The computer that was infected wasn’t a domain-controlled computer and this occurred after a long weekend when the computer was taken home. I assume they picked something up outside of work and brought it back with them, but I cant verify that.

Daily at 2am

Does not matter if it was domain controlled as long as it is on the same network and the malware could have had access. This software, historically, has more holes than swiss cheese. It is hard to say. Either this was the only infected device or if it was sophisticated malware you can mark the whole network as compromised. Your actions will depend on the thread level you see, are sensible informations handled in this network or not. Are Firewalls for incoming traffic active on the other devices?

I am not a big Windows person currently and you maybe should wait for more input. If I had malware in my personal computer I would put all data I want to keep in a storage pool, reinstall all computers and scan the data with at least one run of ClamAV and one run of Microsoft Defender before playing it back on the systems.

Yeah, the nuclear option was what I was thinking but I guess I needed to know how far I should go and if there was a more surgical option.

This I do not know to be honest!

if its a remote access trojan that has been used then there may be other persistence’s left behind after the intrusion.

check all accounts on the system for increased or unassigned privileges and change all logon credentials.

check for new scripts added after the date of the intrusion.

check the cron job list for sleeping tasks.

check the history logs if they haven’t been deleted.

create a new private ssh keypair for each account if you have them set up.

anyone else wanna chime in on where to look and what files to check?
coz im new to the ofsec stuff and even newer to linux so this ^^ may not be complete.

1 Like

They could have left it unsupervised in a classroom where a clever student decided to help themselves with a rubber ducky, … or it could be their own family member doing something fishy for whatever reason.

Either way, since it’s unlikely you’re dealing with “nation states” (unless that teacher has a spouse/sibling/child/parent… who might be doing something interesting) - I’m guessing a simple erase/reinstall is enough. No need to discard the hardware entirely or put the machine through an industrial shredder.

(Industrial shredder is what some companies do when faced with this kind of thing, including mine).

Yeah, I was assuming that if someone had access and was conspicuous enough to have been noticed they probably aren’t a huge threat to the whole network and probably some script-kiddie but I don’t want to be under cautious.

Now that that computer’s data is nuked, what should I be doing to ensure that no other computers are affected? Our antivirus scan didn’t find any issues, so I cant rely on that to tell me that our network is fine.

It would probably be helpful to know what the RAT-like behaviour was.

Webcam light flickering/on?
Malicious personal account activity after using this device?
Unexpected payment card charges after buying something on this device?
Mouse/text cursor moving unexpectedly?

My first guess would probably be to somehow watch it via packet capture (wireshark?) and see if it is sending data unusually.

remote mouse control and a dialog box with the option of show desktop is what was described to me.

That sounds sufficiently inept on the attackers part that it could be some simple or even quasi-legitimate remote control software; I would check add/remove software list and all of windows startup items (startups shortcuts folders, msconfig, I think Task Manager might even list some of these) and maybe services (run services.msc) as well.

I am not even a part time Windows user though, so take your grain of salt.

you nuked the computer?.
so you have no idea how it was accessed?.
thats a shame as you could have just air gapped it and took your time looking through the logs to find out what was done and how.

so for next time :confused:

user history logs should be saved periodically.
without the logs you will have no way of knowing if they pivoted off your system onto the rest of the network.
or what exploits they used to access the system in the first place.

as for the rest of the network, again the logs are something you will have to dig through, same with the cronjobs, access permissions and logins.

good hunting…

1 Like

Perhaps, try to get a timeframe from the user to know where to start hunting through those Event Viewer logs.
At least as an infrequent Windows user, hunting through those Event Viewer logs is a pain, best reduced in duration. :wink:

So what would I be looking for in the event logs. I did review them (googling every event within that time frame) but nothing stood out as being suspicious.
Is their a course on what to do in this event that would show me the process of hunting for network vulnerabilities?