- Checked the server Remote Desktop port and found it moved from 3391 to 3389. - Checked the antivirus, firewall and supplemental malware program (Malwarebytes). Ran Malwarebytes scan. - Analyzed files, folders and event logs. - Created document detailing times of accesses, critical events and the name of the Remote Desktop add-in responsible for the unauthorized access. - Changed the server admin account name and password; disabled Remote Desktop access to the server. - Discussed the particulars with company personnel including the timeline and techniques involved.

Note: this business used the two server remote desktop maintenance

connections for access by offsite employees. Passwords were not

sufficiently complex and access was hacked by an automated malware

exploit. The malware created a new user account and at that point a

live human was most likely alerted. A web browser was loaded, email

account created and used to create an ID for bank transfers.

Lesson: for starters use complex passwords,use a VPN for Remote Desktop

access if possible. Rogue access would then require the hacking of both

the VPN encryption key and a Windows password (unlikely).