Loading...
Loading...

Forensic investigation for suspected RDP, RustDesk, AnyDesk, VPN, or remote-access compromise. We review logons, remote sessions, persistence, privilege escalation, and ransomware staging activity.
Disconnect exposed RDP or remote tools from the internet while preserving logs and configuration.
Do not uninstall RustDesk, AnyDesk, or remote tools until IDs, logs, and persistence settings are captured.
Rotate administrator, VPN, domain, SQL, and backup credentials from a clean device.
Recovery without containment can re-encrypt clean systems. The first pass is designed to preserve evidence, identify entry point, confirm active access, and only then rebuild or restore.
Review Windows event IDs, successful and failed logons, source IPs, account usage, and off-hours access.
Check RustDesk/AnyDesk IDs, service installs, config files, session history, and unattended access settings.
Inspect new users, scheduled tasks, services, startup folders, GPO changes, and local admin membership.
Trace SMB, RDP, PowerShell, PsExec, admin shares, and credential usage across servers and workstations.
Close exposed services, revoke remote tool access, rotate credentials, and enforce MFA where possible.
Use clean management workstations, least privilege, audited remote access, and segmented administrator workflows.
Enable alerting for suspicious logons, new remote tools, credential misuse, and off-hours privileged activity.
These artifacts help determine entry point, blast radius, recovery confidence, and whether regulatory reporting is required.