Hey everyone, I've been digging for a few weeks trying to find out how software like 'ScreenConnect', 'Tactical Agent', and 'Admin Arsenal' got installed across my network without anyone knowing. I've already blocked the connections, but I'm really keen to trace back to the installation server. The event manager points to C:temp, but I can't figure out how it got there. I've checked my Domain Controller and the file server, but no signs of these programs. I'm not great with Wireshark either. Any ideas on what steps I should take next?
4 Answers
Just a heads up, Admin Arsenal is actually the old name for PDQ Deploy/Inventory. They haven’t updated the installation folder name, so you'll still see that when looking for it.
If your network is domain-based, you can create Group Policies to block the installation and execution of these applications. Just to clarify, Admin Arsenal creates folders due to PDQ installations, so it could be linked to that if you have any automation set up to install or update TeamViewer.
You might want to try using Process Hacker to identify where Tactical is reaching out to, as it's likely hosted privately. As some others have already suggested, definitely check your GPO and any startup scripts for automated installs.
It sounds like an old admin might have set up a script to install this software. You could start by checking your group policies and Intune settings to see if anything looks suspicious. Since you're new to this, consider escalating the issue to someone more experienced or consulting a Managed Service Provider (MSP) for help.
I checked the GPO, but nothing seems off.
We're still using AnyDesk and TeamViewer sometimes, but these others are completely unknown to me.