A PowerShell script to scan your Windows computer for potential Remote Access Trojans (RATs). This script checks for suspicious processes, unusual network connections, new files in common locations, unusual scheduled tasks, and startup items.
- Suspicious Processes: Identifies processes that could potentially be RATs.
- Unusual Network Connections: Checks for unexpected connections that might indicate unauthorized access.
- New Files: Scans for newly created files in common directories.
- Unusual Scheduled Tasks: Detects scheduled tasks that may be used to maintain persistence.
- Unusual Startup Items: Identifies startup items that could be used to launch RATs on startup.
- Windows operating system
- PowerShell installed on your system
-
Clone this repository to your local machine:
git clone https://github.com/odapplications/Remote-Access-Trojans-RATs-Checker.git
-
Navigate to the directory:
cd Remote-Access-Trojans-RATs-Checker
-
Put the
CheckForRATsWithLogging.ps1
file on the Desktop. -
Open PowerShell or Command Prompt.
-
Run the following command, replacing
Shane
with your username:powershell.exe -NoProfile -ExecutionPolicy Bypass -File "C:\Users\Shane\Desktop\CheckForRATsWithLogging.ps1"
- Open a text editor.
- Copy and paste the code from the
CheckForRATsWithLogging.ps1
file in the repository. - Make any necessary adjustments for personal use.
- Save the file with any desired name and change the file extension from
.txt
to.ps1
. - Follow the steps in Easy Mode, adjusting the file name and path as needed.
The script generates a log file (CheckForRATsLog.txt
) on your Desktop. This log contains detailed information about the scan results. Below is an explanation of what to look for:
- Normal: Common system processes like
svchost.exe
,explorer.exe
,taskmgr.exe
running as expected. - Suspicious: Multiple instances of these processes, especially if they are consuming high resources or associated with unknown executables.
- Normal: Connections to known and expected IP addresses.
- Suspicious: Connections to unknown or unusual IP addresses, especially from processes that shouldn't be connecting to the internet.
- Normal: Files created by legitimate applications or updates.
- Suspicious: Unexpected executable files in directories like
AppData
orProgramData
.
- Normal: Tasks created by the operating system or known applications.
- Suspicious: Tasks with unfamiliar names or those running unknown executables.
- Normal: Startup items associated with known software.
- Suspicious: Items pointing to unknown executables or those located in unusual directories.