The employee had taken the computer home, it was off-site and off-network during the attack.
Microsoft ATP logged every detail of it in real-time!
That's what I like about using Window 10 Enterprise and Microsoft ATP, no matter where the computer is on the planet, if it has an internet connection (LTE, wifi, VPN, regular LAN etc). ATP is monitoring it in real-time, calling home to Microsoft's cloud, and then alerting us from there.
The users like it because they don't have to learn linux (no l33t required).
I looked at the contents of the .bat and .vbs and command-line switches to the net.exe and cmd exe and powershell that it was executing...
Whoever wrote this piece of software KNEW
what they were doing.
It definitely hooked deep into the OS.
Definitely an experienced blackhat or state-actor.
They clearly had deep knowledge of full list of archaic 32bit sys32 executables.
(Either that or they were leveraging tools that other smarter people wrote
They had added firewall rule exceptions for inbound proxified custom remote RDP over SSL, process escalation, admin side accounts, all-drive all-partition lookups, user-lists, and sysinfo, keyloggers. (The list goes on...)
Your typical stage1 backdoor + intel gathering.
I didn't waste time wading too deep into it really, I just ATP-isolated the machine while they were still at home.
Re-imaged it from baremetal when the employee arrived in the morning.
Added WinRar to the blacklisted software.
They phoned and said "my computer is broken"
and I said: "I already know, it was hacked, I isolated it, see you in the am."
Had I not been my security-paranoid self, and had we not been using Win10 Enterprise + ATP, this wouldn't have necessarily ended so happily.
Their next move probably would have been ransomware "all-the-things!"
Asking users to learn and use linux is generally unrealistic.
85% of home and corporate desktops are Windows. 99% of gaming rigs are Windows.
Ignoring phones/tablets and IoT, you generally only see linux used for servers, and tech-oriented people for their desktops.
For example: every top 500 supercomputer is linux-based.
We use both linux and windows here.
I've seen both having multi-year up-times (with ease.)
Server grade stuff is generally rock-solid (especially if you don't mess with it.)
Installing software, changing settings and applying updates is generally when things break...