Hi, are there any tell-tale sign of a RAT/Trojan activation? Is it all possible to conclude that there has been no such initiation or compromisation?
Found various RATs on Windows machine but am unsure if they ever kicked into action.
Sincere thanks to anyone who can shed any light on this.
Yes, there are signs…indications of execution, possibly Prefetch files or entries in Prefetch files, entries in the AppCompatCache value, references in AutoStart locations, etc. They tend to vary, depending upon the RAT or Trojan.
Thanks. Can one be certain that the Trojan was not executed if there are not such indications?
Again, depends on the Trojan, and the examiner.
Two years ago, I found a malicious DLL on a system that four commercial AV products didn't find. We could *assume* that it had run, but we didn't know for sure. We ran it on a test system to see what artifacts it left…nothing in the Registry, nothing in the file system…it collected it's info and sent it out over the wire immediately. We found artifacts of this in the pagefile within the original image.
Locard's Exchange Principle tells us that a program running on a system should leave artifacts…they may be transient, but they will be there. I've looked in hibernation files, crash dump logs, even parsed Event Log records from unallocated space to determine if malware had executed on a system.
One thing I would suggest is creating a timeline, categorizing the various events (i.e, "Program Execution", etc.) and see what you find out.