“DC03 shows it’s clean.”
That was the word when I took over during a recent cyberattack incident. During this cyberattack, accounts were created, data was encrypted, GPOs were created and modified, SMTP relays were set up. This was a very sophisticated attack. On the other, the domain controller in question had been scanned with not one, but two mainstream antivirus products AND a standalone cleaning tool. The dilemma is that this was the last domain controller standing. There were no backups.
It just seemed too easy. I decided to have a second glance. I had already set up my firewall to embargo the Internet and do some analysis. A quick look at my firewall showed that “DC03” was still trying to access the Internet. Some Internet access is to be expected in the age of the cloud, but this seemed excessive. I had a hunch.
What do you do if you think a system is compromised and don’t trust what the AV is telling you?
Find out with our technical guide on how to find ransomware-infected machines!