In this particular case, Registry artifacts revealed that the RAT had been installed as a result of someone with physical access to the system plugging a USB thumb drive into the system (it was mounted as the E:\ volume) and launching an installer application. Further, this particular bit of malware is most often assumed to be installed via a “spearphishing” e-mail, in which the user is enticed to click on a link or malicious document, resulting in the installation of the RAT.
Web monitor rat windows#
This particular RAT variant is usually installed as a Windows service, allowing the intruder to access the system with privileges greater than that of the system administrator. Often users and intruders will take steps to cover their tracks and remove indications of their activities without realizing that their interactions with the operating system (and often times, with applications) are being “recorded” automatically.įor example, I was examining a system about a year ago which had been found to be infected with a particular variant of a remote access Trojan (RAT). One of the things I really like about digging into the Registry is the amount of information that is available, often times even after a user or intruder has taken “antiforensics” steps in order to hide their activities.
Harlan Carvey, in Windows Registry Forensics (Second Edition), 2016 Remnants
0 kommentar(er)
