What is a Remote Access Trojan or RAT

Remote Access Trojans (RATs) are a type of malware threat that lets a hacker take control of your computer. The spying activities that the hacker may carry out once that RAT is installed vary from exploring your files system, watching activities on the screen, and harvesting login credentials.

The hacker might also be using your internet address as a front for illegal activities, impersonating you, and attacking other computers. Viruses downloaded through RAT will infect other computers, while also causing damage to your system by erasing or encryption essential software. RATs should not be confused with Remote Administration Tools which share the same acronym.

Here is our list of the best intrusion detection tools for RAT software, scanners & detection tools:

  1. SolarWinds Security Event Manager EDITOR’S CHOICE Goes beyond RAT detection with automated remediation tasks that help you block RAT activities and review suspicious behavior on your entire network. Download a 30-day free trial.
  2. Snort Industry stalwart in NIDS first launched by Cisco.
  3. OSSEC Open-source HIDS gaining a following for data gathering capabilities.
  4. Zeek Free network-based intrusion detection system for Unix, Linux, and Mac OS.
  5. Suricata Monitors IP, TLS, TCP, and UDP protocol activity.
  6. Sagan Not a standalone intrusion detection system, good for automating scripts.
  7. Security Onion Open-source amalgamation of other open-source tools on this list.
  8. AIDE Specializes in rootkit detection and file signature comparisons.
  9. OpenWIPS-NG Preferred for wireless packet sniffing.
  10. Samhain Great for setting alerts, but no real troubleshooting capabilities.
  11. Fail2ban Scans log files and bans IPs that show malicious activity.

RAT software tools and APTs

RATs are tools that are usually used in a stealth type of hacker attack, which is called an Advanced Persistent Threat, or APT. This type of intrusion is not focused on damaging information or raiding computers quickly for data.

Instead, APTs consist of regular visits to your network that can last for years. RATs can also be used to reroute traffic through your company network to mask illegal activities.

Did You Know…

Some hacker groups, predominantly in China, have even created a hacker network that runs through the corporate networks of the world and they rent out access to this cybercrime highway to other hackers. This is called the “terracotta VPN” and it is facilitated by RATs.

Early invasions

RATs have quietly been around for more than a decade. The technology was discovered to have played a part in the extensive looting of US technology by Chinese hackers back in 2003. The Pentagon launched an investigation, called Titan Rain, which discovered data theft from US defense contractors, with development and classified testing data being transferred to locations in China.

You may recall the US East Coast power grid shutdowns of 2003 and 2008. These were also traced back to China and were also facilitated by RATs. In short, a hacker who can get a RAT onto a system can activate all of the software that the users of those computers have at their disposal.

Hybrid warfare

A hacker with a RAT can command power stations, telephone networks, nuclear facilities, or gas pipelines. RATs not only represent a corporate network security risk, but they can also enable belligerent nations to cripple an enemy country.

The original users of RATs for industrial espionage and sabotage were Chinese hackers. Over the years, Russia has come to appreciate the power of RATs and has integrated them into its military arsenal. APTs are now officially part of the Russian offense strategy that is known as “hybrid warfare.”

When Russia seized territory from Georgia in 2008 it employed DDoS attacks to block internet services and APTs using RATs to gather intelligence, control, and disrupt Georgian military hardware and essential utilities. Russia’s use of RATs to destabilize Ukraine and the Baltic States continues to this day.

Russia employs semi-official hacker groups, such as APT28. Another hacker group, known as APT15 is regularly used by the Chinese government. The names of these groups explain their main strategy, the “advanced persistent threat,” which is facilitated by RATs.

The rise in trade tariff tensions in 2018 has seen a new spurt in Chinese hacker activity, particularly the semi-military APT15 group. The troubles between the USA and North Korea that have been rumbling on since 2015 have also caused a rise in RAT-assisted APT activity originating in North Korea.

So, while threat actors & hackers around the world use RATs to spy on companies and steal their data and money, the RAT problem has now become an issue of national security for many countries, particularly the USA. We have included some examples of RAT tools below.

Defense against Remote Access Trojan software

Antivirus systems don’t do very well against RATs. Often the infection of a computer or network goes undetected for years. The obfuscation methods used by parallel programs to cloak the RAT procedures make them very difficult to spot. Persistence modules that use rootkit techniques mean that RATs are very difficult to get rid of. Sometimes, the only solution to rid your computer of a RAT is to wipe out all of your software and reinstall the operating system.

RAT prevention systems are rare because the RAT software can only be identified once it is operating on your system. The best way to manage the RAT problem is to use an intrusion detection system. Comparitech has a guide on intrusion detection systems, which gives you a full explanation of how these systems work and a rundown of recommended tools.

The best intrusion detection tools for RAT software, scanners & detection tools

Our methodology for selecting remote access Trojan protection systems

We reviewed the market for remote access Trojan scanners and analyzed the options based on the following criteria:

  • Options for network and host-based RAT scanning
  • Threat mitigation services to get rid of detected RATs
  • Options for scanning wireless networks
  • Alerts to draw attention to RATs and guide removal
  • Detection and removal logging for data protection standards compliance
  • A free tool or a free trial period for assessment
  • A good mix of tools at a fair price that represents value for money

Features Comparison Table

Product/FeaturesSolarWinds Security Event ManagerSnortOSSECZeekSuricataSaganSecurity OnionAIDEOpenWIPS-NGSamhainFail2ban
Network-Based IDSYesYesNoYesYesYesYesNoYesNoNo
Host-Based IDSNoNoYesNoNoNoNoYesNoYesYes
Real-Time MonitoringYesYesYesYesYesYesYesNoYesYesYes
Signature-Based DetectionYesYesYesNoYesYesYesNoYesYesNo
Anomaly-Based DetectionYesNoYesYesYesNoYesYesNoYesNo
Open SourceNoYesYesYesYesYesYesYesYesYesYes
Integration with Other SystemsYesYesYesYesYesYesYesNoNoNoYes
Customizable RulesYesYesYesYesYesYesYesNoNoNoYes
Support and CommunityYesYesYesYesYesYesYesYesYesYesYes

1. SolarWinds Security Event Manager (FREE TRIAL)

Tested on: Windows Server, Cloud/SaaS (Hypervisor, AWS and MS Azure)

SolarWinds SEM dashboard
I find the Critical Node Health summaries indispensable

Intrusion detection systems are important tools for blocking software intrusion that can evade detection by antivirus software and firewall utilities. The SolarWinds Security Event Manager is a Host-based Intrusion Detection System. However, there is a section of the tool that works as a Network-based Intrusion Detection System. This is the Snort Log Analyzer. You can read more about Snort below, however, you should know here that it is a widely used packet sniffer. By employing Snort as a data collector to feed into the Snort Log Analyzer, you get both real-time and historic data analysis out of the Security Event Manager.

Key Features:

  • Log File Searches for Intrusion: SEM offers log file searches to detect and investigate intrusions or security incidents within the network.
  • Live Data Monitoring for Anomalies: The tool provides live data-monitoring capabilities to identify anomalies and suspicious activities in real-time.
  • Automated Remediation: SEM includes automated remediation features to respond to security threats and incidents automatically.
  • Compliance: It is compliant with industry standards such as PCI DSS, HIPAA, and SOX, ensuring adherence to regulatory requirements.

Why do we recommend it?

SolarWinds Security Event Manager identifies suspicious activity whether it is human driven or software based. Like all forms of malware, RATs need to be spotted quickly and removed. This tool offers good value for money because it identifies and removes a range of threats, not just RATs.

This dual capability gives you a full Security Information and Event Management (SIEM) service. This means that you can watch Snort-captured events live and also examine cross-packet intrusion signatures identified through log file records.

SolarWinds SEM - Events view
I added filters to the top PCI Events for a live view

The Security Event Manager goes beyond RAT detection because it includes automated remediation tasks that help you block RAT activities. The tool is compliant with a range of data security standards, including PCI DSS, HIPAA, SOX, and DISA STIG.

Who is it recommended for?

Although businesses of all sizes need cybersecurity protection, The SolarWinds Security Event Manager is aimed more at large enterprises. This is because it is a large software package that needs to be installed and maintained. Its pricing structure is also more interesting for large businesses that for small companies.


  • Targeted Threat Detection: SEM is designed specifically to detect and stop RATs, malware, worms, insider threats, and other security risks promptly.
  • Integration with Tools like Snort: It supports integration with tools like Snort, allowing SEM to be part of a comprehensive security strategy leveraging multiple technologies.
  • Pre-Configured Alerts and Rules: With over 700 pre-configured alerts, correlation rules, and detection templates, SEM provides instant insights and threat detection capabilities upon installation.
  • Intelligent Threat Response: The tool offers easy-to-build threat response rules and uses intelligent reporting to reduce false positives, enhancing accuracy in threat detection and response.
  • Built-In Reporting: SEM includes built-in reporting and dashboard features, reducing the need for multiple cybersecurity tools and providing centralized visibility into security posture.


  • Feature Density: Due to its feature-rich nature, SEM may require time and effort to fully explore and utilize all its capabilities effectively.
SolarWinds SEM Version Download Selection
During download, you will be prompted to select the download version for HyperV, VMWare or Azure

The SolarWinds Security Event Manager can be installed on Windows Server. The utility isn’t free to use, but you can get it on a 30-day free trial.


SolarWinds Security Event Manager is our Editor’s Choice because it has hundreds of out-of-the-box correlation rules which can alert you to suspicious behaviors in real-time. You can also set up new rules thanks to the normalization of log data. The dashboard gives you a powerful command center for identifying potential network vulnerabilities.

Official Site: solarwinds.com/security-event-manager

OS: Windows 10 and later, Windows Server 2012 and later, Cloud-based: Hypervisor, AWS and MS Azure

2. Snort

Snort screenshot

Snort is free to use and it is the industry leader in NIDS, which is a Network Intrusion Detection System.

Key Features:

  • Signature-Based Detection: Snort uses signature-based detection to identify known threats by comparing network traffic against a database of predefined signatures.
  • Anomaly-Based Detection: Additionally, Snort can detect anomalies in network traffic by analyzing deviations from normal patterns.
  • Packet Sniffer: It includes packet sniffing capabilities, allowing it to capture and analyze network packets in real-time for security analysis.
  • Intrusion Detection Mode: Snort operates in intrusion detection mode, where it detects and alerts users about potential intrusions or security breaches within the network.
  • Data Analysis: The tool provides data analysis features, enabling users to examine network traffic patterns, anomalies, and potential threats.

Why do we recommend it?

Snort is both an open source system and a property of Cisco Systems. This combination creates a sweet spot that means you are getting a very widely-used network traffic analyzer that is supported by the world’s leading network device producer.

This system was created by Cisco Systems and it can be installed on Windows, Linux, and Unix. Snort can implement defense strategies, which makes it an intrusion prevention system. It has three modes:

  • Sniffer mode – a live packet sniffer
  • Packet logger – records data packets to a file
  • Intrusion detection mode – includes an analysis module

The IDS mode of Snort applies “base policies” to the data. These are alert rules that provide intrusion detection. Policies can be acquired for free from the Snort website, sourced from the user community, or you can write your own. Suspicious events that Snort can highlight include stealth port scanning, buffer overflow attacks, CGI attacks, SMB probes, and OS fingerprinting. Snort is capable of both signature-based detection methods and anomaly-based systems.

The front-end of Snort isn’t very good and most users interface data from Snort to better consoles and analysis tools, such as Snorby, BASE, Squil, and Anaval.

Snort on Github
I love the straightforward download and install instructions direct on their front page

Who is it recommended for?

Snort is a sophisticated tool for network specialists – it isn’t an out-of-the-box package. For this reason, although it is free to use, it isn’t a solution that small businesses that don’t have technicians on staff could use.


  • Free and Open Source: Snort is completely free and open-source, allowing users to access its source code, customize rules, and contribute to the community’s rule sets and configurations.
  • Widely Used and Supported: Snort is one of the most widely used IDS globally, with a large user base and extensive community support.
  • Active Community: The active and vibrant Snort community provides resources, documentation, and support forums for users to seek assistance and share knowledge.


  • Complex Configuration: Snort’s extensive configuration options and rule syntax can be complex for novice users, requiring a learning curve to effectively deploy and manage.
  • Learning Curve: Compared to products with dedicated support and extensive documentation, Snort may have a steeper learning curve, requiring users to invest time in learning its configuration and usage.


OSSEC screenshot
I enhanced the visualizations using filters

OSSEC stands for Open Source HIDS Security. A HIDS is a Host Intrusion Detection System, which examines events on the computers in a network rather than trying to spot anomalies in the network traffic, which is what network intrusion detection systems do. OSSEC is the current HIDS leader and it can be installed on Unix, Linux, and macOS operating systems. Although it can’t run on Windows computers it can accept data from them. OSSEC examines event logs to look for RAT activities. This software is an open-source project that is owned by cybersecurity firm, Trend Micro.

When we tested OSSEC we found the following key features.

Key Features:

  • Log-Based Intrusion Detection (LIDs): Actively monitors and analyzes data from multiple log data points in real-time, allowing for the detection of security incidents and potential threats.
  • Rootkit and Malware Detection: Conducts process and file-level analysis to detect malicious applications and rootkits, providing comprehensive protection against malware-based attacks.
  • Log File-Based IDS: OSSEC operates as a log file-based IDS, analyzing log files to detect potential security incidents and threats.
  • Adaptable Detection Rules: It offers adaptable detection rules, allowing users to customize and configure rulesets based on their specific security requirements and environments.

Why do we recommend it?

Like Snort, OSSEC is a free, open source project that is supported by a major corporation – Trend Micro in this case. Trend Micro is a leading anti-malware provider and OSSEC ties in well with that business’s strengths because it examines events on endpoints. The utility spots unexpected behavior, which will spot attempts to install RATs as well as other malware.

This is a data-gathering tool, which doesn’t have a very user-friendly front-end. Generally, the front end for this system is supplied by other tools, such as Splunk, Kibana, or Graylog. The detection engine of OSSEC is based on policies, which are alert conditions that might arise in the data. You can acquire pre-written packages of policies from other OSSEC users who make their packages available for free on the OSSEC user community forum. You can also write your own policies.

OSSEC Installation
Make sure to consult the docs for a seamless installation using a shell script

Who is it recommended for?

Also like Snort, OSSEC is a tool for use by specialists. You need to be able to understand how cybersecurity tools work in order to get this package working effectively to identify threats and remove them automatically.


  • Free to Use: OSSEC is freely available for use, making it accessible to a wide range of users and organizations without the need for costly licensing fees.
  • Cross-Platform Compatibility: OSSEC can be deployed on various operating systems, including Linux, Windows, Unix, and Mac, providing versatility and compatibility across different environments.
  • Combination SIEM and HIDS: It can function as both a SIEM system and a HIDS, offering comprehensive security monitoring capabilities.
  • Customizable Interface: The interface of OSSEC is easy to customize, allowing users to tailor it to their preferences and requirements.


  • Dependency on Secondary Tools: OSSEC may require additional tools like Graylog and Kibana for in-depth analysis and visualization of security data, adding complexity to the setup and management process.
  • Lack of Paid Support for Open-Source Version: The open-source version of OSSEC does not include paid support, which may be a limitation for organizations requiring dedicated technical support and assistance.

Get started with the installation using a shell script.

4. Zeek

Tested on: Unix, Linux, and MacOS

Zeek on Kibana
Getting Zeek working on a Kibana graphic interface

Zeek is a very well-established network-based intrusion detection system. This free tool is better known by its old name: Bro. The tool changed its name to Zeek in 2018. Zeek is an open-source project that is supported financially by some very big names, including the Mozilla Foundation and the International Computer Science Institute.

Key Features:

  • Application Layer Detection: Zeek specializes in application layer detection, providing insights into network traffic at a granular level.
  • Anomaly-Driven and Signature-Based Searches: It employs both anomaly-driven and signature-based searches to detect known and unknown threats within network traffic.
  • Advanced Threat Detection: The tool utilizes signature detection and anomalous behavior scanning techniques, enabling it to detect a wide range of threats.

Why do we recommend it?

Zeek is an excellent alternative to Snort. While not quite as highly respected as Snort, this tool is a close competitor. The Zeek system is easier to set up than Snort but it performs a competent scan of network traffic, looking for chains of activity that indicate malicious actions. The service will also identify manual intrusion.

Despite being a network-based system, Zeek doesn’t operate on live data. This is because packet analysis doesn’t spot many types of attacks that are implemented in stages, across packets, and from different sources. So, Zeek captures data packets and then stores them in files. This makes it an application-level NIDS.

The packet files are analyzed by the Zeek Event Engine. This is a semantic analyzer that looks for unusual patterns that break out of standard activity behavior. The detection techniques used by the analyzer are therefore anomaly-based. However, the analyzer also does a sweep for well-known malicious intruder behavior, so it deploys signature-based analysis as well.

Zeek runs on Unix, Linux, and MacOS. The system includes a scripting language that enables technicians to write their own capture routines and anomaly scans. This technical aspect might put many people off using the system. However, the monitor has a large following, so there is a big user community out there to advise newbies. A big problem with Zeek is that it doesn’t have its own front end, so it needs to be paired up with other interfaces. Kibana is probably the most regularly used interface for Zeek.

Installing Zeek on Kali Linux
Installing Zeek on Kali Linux

Who is it recommended for?

Zeek is a little easier to operate and understand than Snort because it applies automated searches on traffic that you can just treat as a black box. Nevertheless, the need to pair this system with a third-party front end means there is a learning curve involved just to get the system running. If you can hire a technician to set the service up for you, you would be able to operate Zeek without technical skills.


  • Free to Use: Zeek is freely available for use, making it accessible to security professionals and organizations without the need for expensive licensing fees.
  • High Customizability: Zeek is highly customizable, catering to the needs of security professionals operating on Unix-based operating systems.
  • Scripting Automation: Zeek supports automation through scripting, empowering administrators to automate various actions and responses based on detected threats or network events.


  • Limited Platform Support: Zeek is primarily available for Unix, Linux, and Mac platforms, limiting its compatibility with Windows-based environments.
  • Specialized Usage: Due to its complexity and focus on advanced threat detection, Zeek is better suited for researchers, specialists, and security professionals who require in-depth network traffic analysis capabilities.

5. Suricata

Suricata running on Logstash Templates
We got it running on Logstash templates with Kibana

Suricata is a NIDS that can be installed on Windows, Linux, Mac OS, and Unix. This is a fee-based system that applies application layer analysis, so it will detect signatures that are spread across data packets. Suricata monitors IP, TLS, TCP, and UDP protocol activity and focuses on key network applications, such as FTP, HTTP, ICMP, and SMB. It can also examine TLS certificates and focus on HTTP requests and DNS calls. There is also a file extraction facility that enables the analysis of virus-infected files.

Key Features:

  • Application Layer Analysis: Suricata specializes in application layer analysis, providing detailed visibility into the behavior of RATs and other network threats.
  • Great Data Visualizations: It offers excellent data visualizations, enabling users to understand network traffic patterns and security events effectively.
  • Analyzes Network Traffic: Suricata thoroughly analyzes network traffic, including multiple protocols, to detect and respond to potential security threats.

Why do we recommend it?

Suricata is another free network traffic analyzer that implements system defense. The package runs on-premises and it can monitor internet traffic to and from cloud services as well as LAN activity. Suricata is able to block the malicious activities that it spots.

Suricata has a built-in scripting module that enables you to combine rules and get a more precise detection profile. This IDS uses both signature-based and anomaly-based detection methods. VRT rules files written for Snort can also be imported into Suricata because this intrusion detection system is compatible with the Snort platform. This also means that Snorby, BASE, Squil, and Anaval can serve as front ends to Suricata. However, the Suricata GUI is very sophisticated and includes graphical representations of data, so you might not need to use any other tool to view and analyze data.

Who is it recommended for?

Anyone can use Suricata. The system is easy to set up and use because it has a very good user interface and runs on all of the major operating systems. As Suricata is free to use, it is suitable for businesses of any size. The frontend isn’t the best you can get and if you have technical skills, you can feed data into other analysis tools. The Suricata system also includes a scripting language, which enables those who have technical skills to really expand the intrusion prevention features in this tool.


  • Application Layer Visibility: Suricata’s ability to collect data at the application layers provides unique visibility into the behavior of RATs and other malicious activities.
  • Efficient Packet Reassembly: It efficiently analyzes and reassembles protocol packets, ensuring accurate analysis and detection of security incidents.
  • Multi-Protocol Monitoring: Suricata can monitor multiple protocols and check the integrity of certificates in protocols like TLS, HTTP, and SSL, enhancing its coverage and threat detection capabilities.


  • Scripting Complexity: Users may find the built-in scripting capabilities of Suricata somewhat challenging to use, requiring a learning curve to leverage scripting for customizations and automation.
  • Visualizations on Dashboard: Some users may find that Suricata could improve its live dashboard visualizations for better data representation and analysis.

6. Sagan

Sagan screenshot
It’s free to download, but I could only install on Linux

Sagan is a free host-based intrusion detection system that can be installed on Unix, Linux, and Mac OS. You can’t run Sagan on Windows but you can feed Windows event logs into it. Data gathered by Snort, Suricata, or Bro can be imported into Sagan, which gives the data analytical tool of this utility a NIDS perspective as well as its native HIDS capabilities. Sagan is also compatible with other Snort-type systems, such as Snorby, BASE, Squil, and Anaval, which could all provide a front end for data analysis.

Key Features

  • Log Analysis Tool: Sagan is primarily a log analysis tool, designed to analyze log data for security events and threats.
  • Compatibility with Security Consoles: Integrates with popular graphical-based security consoles such as Snorby, BASE, Sguil, and EveBox.
  • Geographic Location Tracking: Tracks events based on IP address source or destination data to identify anomalies in geographic locations.
  • Threat Intelligence Integration: Queries custom blacklists, Bro Intel subscriptions, and Quadrant Information Security threat intelligence feeds.
  • Alert Fatigue Reduction: Implements thresholds to reduce alert fatigue, alerting only after specific criteria have been met.

Why do we recommend it?

Sagan is a free log analysis tool that is good for malware and intrusion detection. This service can also centralize data gathered from many of the other tools on this list. Look upon Sagan as a free alternative to SolarWinds Security Event Manager.

Sagan is a log analysis tool and it needs to be used in conjunction with other data gathering systems in order to create a full intrusion detection system. The utility includes an IP locator, so you can trace the sources of suspicious activities to a location. It can also group together the activities of suspicious IP addresses to identify team or distributed attacks. The analysis module works with both signature and anomaly detection methodologies.

Sagan can automatically execute scripts to lock down the network when it detects specific events. It performs these prevention tasks through interaction with firewall tables. So, this is an intrusion prevention system.

Who is it recommended for?

If you have the money and you want to install a SIEM tool to spot RATs, you should really go for the SolarWinds tool. However, if you don’t want to pay anything and you are prepared to put in a little work, you should consider using Sagan. Creating rules to automatically shut down threats takes a bit of learning, but you will save a lot of money for the time that you invest.


  • Free Log Analysis Tool: Sagan is available as a free log analysis tool, making it accessible to organizations without additional costs.
  • Compatibility with Open-Source Tools: It is compatible with other open-source tools like Zeek and Snort, allowing for integration and enhanced threat detection capabilities.
  • Automated Threat Remediation: Sagan offers automated remediation of threats, helping to mitigate security risks and respond to incidents more efficiently.


  • Not Available for Windows: Sagan is not available for Windows operating systems, limiting its deployment options for organizations that primarily use Windows environments.
  • Not a Standalone RAT Solution: While Sagan offers automated remediation, it is not a standalone solution specifically focused on RAT removal or prevention.
  • Steep Learning Curve: New users may experience a steep learning curve when using Sagan, as it requires familiarity with log analysis concepts and configurations.

7. Security Onion

Security Onion Customizable Dashboard
I made personal touches to the customizable dashboard

Security Onion was developed by splicing together the code for Snort, Suricata, OSSEC, Bro, Snorby, Sguil, Squert, Kibana, ELSA, Xplico, and NetworkMiner, which are all open-source projects. This powerful tool is a free Linux-based NIDS that includes HIDS functionality. It was written to run specifically on Ubuntu.

Key Features:

  • Intrusion Detection: Incorporates intrusion detection capabilities to identify and alert on potential security threats within the network.
  • Honeypots: Includes intrusion detection honeypots, which are decoy systems designed to lure attackers and gather information about their tactics and techniques.
  • Log Management: Facilitates the collection, storage, and analysis of log data from various sources, aiding in the detection and investigation of security incidents.
  • Case Management: Provides tools for managing security incidents, including case creation, assignment, tracking, and resolution, streamlining the incident response process.

Why do we recommend it?

Security Onion was created to address the problem that we have flagged a number of times in the reviews above. The problem is that all of the systems on this list would work a little better if they are combined into a suite. Security Onion links together the best free intrusion detection systems so you don’t have to learn how best to fit these utilities together into an impressive intrusion prevention system to block RATs and other malicious activities.

Host-based analysis checks for file changes and network analysis is conducted by a packet sniffer, which can display passing data on a screen and also write to a file. The analysis engine of Security Onion is complicated because it combines the procedures of so many different tools. It includes device status monitoring as well as network traffic analysis.

There are both signature-based and anomaly-based alert rules included in this system. The interface of Kibana provides the dashboard for Security Onion and it includes graphs and charts to ease data analysis.

Setting Alerts in Security Onion
I filtered the alerts according to the rule name, event module and event severity

Who is it recommended for?

As it involves so many packages, Security Onion takes time to download and install. However, the setup process is guided and that makes this tool easy to use by anyone. The one problem that some businesses will face is that Security Onion only runs on Ubuntu Linux. So, if your enterprise only has Windows PCs, you will have to convert one of them to Linux to use security Onion.


  • Free and Open-Source: Being free and open-source, Security Onion provides cost-effective security monitoring and analysis capabilities.
  • Network Visibility: Provides comprehensive visibility into network traffic, allowing for the monitoring and analysis of network activities.
  • Host Visibility: Offers insight into host activities, enabling the detection and investigation of suspicious behavior on individual devices.


  • Availability Only for Linux: Security Onion is available only for Linux operating systems, which may limit its deployment options for organizations that primarily use other operating systems.
  • Visualization through Kibana: It uses Kibana for visualization, which may require additional configuration and setup for customized visualizations.
  • Complex Interface: The interface of Security Onion is considered fairly complicated, and some users may find it challenging to navigate or use.


Tested on: Linux

AIDE screenshot
Some prefer simple command line tools

AIDE stands for “Advanced Intrusion Detection Environment.” This is a free HIDS that runs on Mac OS, Unix, and Linux. This IDS focuses on rootkit detection and file signature comparisons.

Key Features:

  • Log Monitoring: AIDE monitors logs from various network systems and devices, analyzing entries for signs of unauthorized access, unusual behavior, or security incidents.
  • File Integrity Monitoring (FIM): Tracks changes to critical system files and directories, alerting administrators to unauthorized modifications and potential security compromises.
  • Intrusion Detection: Combines signature-based and anomaly-based techniques to identify known attack patterns and detect unusual activities, such as port scans or malware, indicating potential threats.
  • Incident Response Support: Assists in incident response by providing detailed event information, aiding forensic analysis, and facilitating the remediation of security vulnerabilities.
  • Configuration Monitoring: Monitors system configurations to detect unauthorized changes or deviations from security baselines, ensuring systems maintain secure and compliant settings.

Why do we recommend it?

As it is a free, open-source host-based intrusion detection system, AIDE competes with OSSEC, Suricata, and Samhain. This is worth a try. However, its command-line interface makes the AIDE utility difficult to use. If you have the time and the skills, you can forward AIDE data files and display them in another tool.

The data gathering module populates a database of characteristics that are gleaned from log files. This database is a system status snapshot and any changes in device configuration trigger alerts. Those changes can be canceled by reference to the database or the database can be updated to reflect authorized configuration alterations.

System activity checks are performed on-demand and not continuously, but it can be scheduled as a cron job. The rules base of AIDE uses both signature-based and anomaly-based monitoring methods.

Who is it recommended for?

AIDE isn’t available for Windows, so if you only have PCs, you won’t be able to use this tool. This is a system that will appeal to technical experts who like to tinker.


  • Free and Open-Source: Being free and open-source, AIDE provides cost-effective intrusion detection capabilities for security professionals and organizations.
  • Lightweight Deployment: Its lightweight nature allows it to run efficiently in legacy environments, making it suitable for detecting RATs and other threats in such environments.
  • SIEM Integration: Integrates with SIEM systems to centralize and correlate security events from multiple sources, enhancing visibility and analysis capabilities.


  • Availability Only for Linux and Unix: AIDE is available only for Linux and Unix operating systems, which may limit its deployment options for organizations that primarily use other operating systems.
  • Not Beginner-Friendly: AIDE may not be as beginner-friendly as some other security tools, requiring a certain level of technical expertise and familiarity with command-line interfaces for effective usage.

9. OpenWIPS-NG

OpenWIPS-NG screenshot

OpenWIPS-NG comes from the developers of Aircrack-NG. In fact, it integrates Aircrack-NG as its wireless packet sniffer. Aircrack-NG is a well-known hacker tool, so this association may make you a little wary. WIPS stands for “Wireless Intrusion Prevention System” and it runs on Linux.

Key Features:

  • Sensors: “Dumb” devices that capture wireless traffic and send it to the server for analysis.
  • Server: Aggregates data from all sensors, conducts thorough analysis, and initiates responses to detected attacks.
  • Interface: Provides a user-friendly GUI for managing the server and displaying comprehensive information about threats on the wireless network(s).

Why do we recommend it?

OpenWIPS-NG is unique on this list because it operates on wireless networks. It can be used to extract packets and analyze them and also to inject traffic back into the wireless networks. A great feature of this tool is that it is free to use. However, don’t think that it will be able to crack transmission encryption, so you won’t be able to spy on WiFi users.

OpenWIPS-NG is a free utility that includes three elements:

  • Sensor – the packet sniffer
  • Server – data storage and analysis rule-base
  • Interface – user-facing front end.

The sensor is also a transmitter, so it can implement intrusion prevention actions and cripple unwanted transmissions. The server performs analysis and also launches intervention policies to block detected intrusions. The interface module displays events and alerts to the systems administrator. This is also where settings can be tweaked and defensive actions can be adjusted or overridden.

Who is it recommended for?

Like its stablemate, Aircrack-NG, OpenWIPS-NG is good for hackers. However, the ability to respond to detected malicious activities makes it very useful. You would need to be a competent network engineer to use this tool.


  • Flexibility: Its flexibility allows security specialists to customize and tailor it to specific security needs and network environments.
  • Lightweight CLI: The command-line interface is efficient and does not require heavy system resources, making it suitable for various devices and environments.
  • Memorizable Syntax: The syntax is straightforward and easy to remember, reducing the learning curve for users.


  • Reliance on Other Tools: It relies on other tools to expand its functionality, which may require additional configurations or integrations.
  • Not an All-in-One Solution: While powerful for WiFi network security, OpenWIPS-NG may not be ideal for users looking for a comprehensive, all-in-one security solution that includes other network security aspects.

10. Samhain

Samhain screenshot

Samhain, produced by Samhain Design Labs in Germany, is a free host-based intrusion detection system that installs on Unix, Linux, and Mac OS. It uses agents running at different points on the network, which report back to a central analysis module. Each agent performs file integrity checking, log file monitoring, and port monitoring. The processes look for rootkit viruses, rogue SUIDs (user access rights), and hidden processes.

Key Features

  • Security: Baseline databases and configurations are stored securely on the server, preventing tampering by local intruders.
  • Log Facilities: Offers a wide range of logging facilities including email, syslog, signed and tamper-resistant log files, SQL databases.
  • Modular Structure: Samhain features a modular structure allowing for easy extension and customization to perform various monitoring tasks such as checking for open ports, hidden processes, and log file analysis.
  • Tamper Resistance: Supports signed database and configuration files, along with signed log file entries and email reports, ensuring tamper resistance.
  • Monitoring User Access Rights: Samhain can monitor user access rights to detect privilege escalation, which is a common behavior associated with RATs.

Why do we recommend it?

Samhain is a host-based intrusion detection system so it competes with other HIDS on this list. It is a free, open source project and so you can alter the code if you want to. Features that no other IDS on this tool has include the ability to mask its running processors and its strong protection of log files.

Network communication between agents and the console is protected by encryption. Connections for the delivery of log file data include authentication requirements, which prevent intruders from hijacking or replacing the monitoring process.

Samhain will highlight warning signs of intrusion but it doesn’t have any resolution processes. You will need to keep backups of your configuration files and user identities in order to take action to resolve the problems that the Samhain monitor reveals. Samhain keeps its processes hidden by stealth technology, called “steganography” in order to prevent intruders from manipulating or killing the IDS. Central log files and configuration backups are signed with a PGP key to prevent tampering by intruders.

Who is it recommended for?

Samhain can be used as a log management tool and it provides a log viewer. The system is useful to have if only for those services and it would be useful for businesses of any size. This is yet another tool that won’t run on Windows.


  • Free and Open-Source: Being free and open-source, Samhain offers security monitoring capabilities without additional costs.
  • Flexibility: Provides modules for comprehensive monitoring tasks including integrity checks using cryptographic checksums, detection of rogue SUID executables, and centralized monitoring.
  • Detection Capabilities: It can effectively detect rogue processes, intrusions, malicious connections, and privilege escalation, enhancing overall security posture.


  • No Paid Support Options: Samhain lacks paid support options, which may limit access to dedicated technical assistance and resources.
  • Not Available for Windows: It is not available for Windows operating systems, restricting its deployment to Linux and Unix-based environments.
  • Outdated Interface and Usability: The interface of Samhain feels outdated and may not be particularly user-friendly.

11. Fail2Ban

Fail2ban screenshot

Fail2Ban is a free host-based intrusion prevention system that runs on Unix, Linux, and Mac OS X. The IDS analyses log files and imposes bans on IP addresses that display suspicious behavior. Automatic lockouts occur in Netfilter/IPtables or PF firewall rules and the hosts.deny table of TCP Wrapper. These blocks usually only last a few minutes, but that can be enough to disrupt a standard automated brute-force password-cracking scenario.

Key Features:

  • Automatic IP Ban: Fail2Ban automatically bans attacking IP addresses, which is effective in stopping RAT Command and Control (C&C) servers.
  • Combination IDS and HIDS: It acts as a combination IDS and HIDS, providing comprehensive security monitoring.

Why do we recommend it?

Fail2Ban is a host-based intrusion prevention system that scans application activity for suspicious activity. For example, it will set up a monitor to focus on mail servers and another to watch an Apache Web server. You set up playbooks that tell Fail2Ban what to do when it detects suspicious activity.

Alert situations include excessive failed login attempts. A problem with Fail2Ban is that it focuses on repeated actions from one address. This doesn’t give it the ability to cope with distributed password cracking campaigns or DDoS attacks.

The monitoring scope of the system is defined by a series of “filters.” These instruct the IPS on which services to monitor. These include Postfix, Apache, Courier Mail Server, Lighttpd, sshd, vsftpd, and qmail. Each filter is combined with an action to perform in the event of an alert condition being detected. The combination of a filter and an action is called a “jail.”

Who is it recommended for?

Fail2Ban runs on Unix, Linux, and macOS but not on Windows. Although there are some interesting features in this system, it operates at the command line and so small business owners and other non-technical users will struggle to get the best out of Fail2Ban. However, it is open source and free to use, so anyone can give it a try.


  • Completely Free: Fail2Ban is a completely free tool, making it accessible to users without additional costs.
  • Automatic IP Blocking: Its ability to automatically ban attacking IP addresses enhances security by mitigating threats in real-time.


  • No Paid Support: Fail2Ban lacks paid support options, which may limit access to dedicated technical assistance and advanced features.
  • Limited Platform Support: Fail2Ban is available for Unix, Linux, and Mac operating systems only, restricting its deployment options.

RAT programs and examples

There are a number of remote access systems that could have legitimate applications, but are well-known as tools that are mainly used by hackers as part of a Trojan; these are categorized as Remote Access Trojans. The details of the best-known RATs are explained below.

Back Orifice

Back Orifice, which is also referred to as BO is an American-made RAT that has been around since 1998. This is the granddaddy of RATs and has been refined and adapted by other hacker groups to produce newer RAT systems. The original system exploited a weakness in Windows 98. Later versions that ran on newer Windows operating systems were Back Orifice 2000 and Deep Back Orifice.

This RAT is able to hide within the operating system, which initially makes it difficult to detect. However, nowadays, most antivirus systems have the Back Orifice executable files and occlusion behavior logged in their databases as signatures to look out for. A nice feature of this software is that it has an easy-to-use console that the intruder can use to navigate around the infected system. The remote element can be slipped into a target computer through a Trojan. Once installed, this server program communicates with the client console using standard networking procedures. Back Orifice is known to use port number 21337.


The Beast RAT attacks Windows systems from Windows 95 up to Windows 10. This uses the same client-server architecture that Back Orifice pioneered with the server part of the system being the malware that gets installed surreptitiously on the target computer. Once the server element is operational, the hacker can access the victim computer at will through the client program. The client connects to the target computer at port number 6666. The server is also able to open connections back to the client and that uses port number 9999. Beast was written in 2002 and is still widely in use.


This Trojan begins its infection with the installation of a server builder program. Initially, this program just makes contact with a Command and Control server and waits for instructions. The Trojan infects Windows systems from Windows 95 to Windows 11. However, its capabilities are reduced on Windows versions XP and later.

Once it is triggered, the server builder will set up a server program on the target computer. This enables the hacker, using a corresponding client program to get access to the compromised machine and execute commands at will. The server software is stored in C:\Windows\Bifrost\server.exe or C:\Program Files \Bifrost\server.exe. This directory and file are hidden and so some anti-virus system checks fail to detect Bifrost.

The server builder does not end its operations once the server has been created. Instead, it operates as a persistence system and will recreate the server in a different location and with a different name if the original server installation is spotted and removed. The server builder also employs rootkit methods to mask server processes and make the operating intrusion system very difficult to detect.

Since Windows Vista, the full destructive capabilities of Bifrost have been slowed down because many of the services that the malware uses require system privileges. However, if a legitimate user is tricked into installing the disguised server builder with system privileges, the Bifrost system can become fully-operational and will be very difficult to remove.

Related: The best free rootkit removal, detection and scanner programs


Blackshades is an off-the-peg hacking tool that was sold to hackers by its developers for $40 a pop. The FBI estimated that its producers earned a total of $340,000 selling this software. The developers were shut down and arrested in 2012 and a second wave of arrests in 2014 captured more than 100 users of Blackshades. However, there are still copies of the Blackshades system in circulation and it is still in active use. Blackshades targets Microsoft Windows from Windows 95 to Windows 11.

The toolkit includes methods of infection, such as malicious code to embed in websites that trigger installation routines. Other elements propagate the RAT by sending out links to infected web pages. These are sent to the social media contacts of an infected user.

The malware enables a hacker to get access to the target computer’s files system and download and execute files. Uses of the program include botnet functions that get the target computer to launch denial of service attacks. The infected computer can also be used as a proxy server to route hacker traffic and provide identity cover for other hacker activities.

The Blackshades toolkit is very easy to use and enables those who lack technical skills to become hackers. The system can also be used to create ransomware attacks. A second obfuscation program sold alongside Blackshades keeps the program hidden, enables it to relaunch when killed, and evades detection by anti-virus software.

Among attacks and events that have been traced to Blackshades are a 2012 campaign of disruption that targeted Syrian opposition forces.

See also: 2017-2018 Ransomware statistics and facts

The Ransomware Removal Handbook: Dealing with common strains of ransomware


French hacker Jean-Pierre Lesueur developed DarkComet in 2008, but the system didn’t really proliferate until 2012. This is another hacker system that targets the Windows operating system from Windows 95 up to Windows 11. It has a very easy-to-use interface and enables those without technical skills to perform hacker attacks.

The software enables spying through keylogging, screen capture, and password harvesting. The controlling hacker can also operate the power functions of a remote computer, allowing a computer to be turned on or off remotely. The network functions of an infected computer can also be harnessed to use the computer as a proxy server to channel traffic and mask the hacker’s identity during raids on other computers.

DarkComet came to the cybersecurity community’s attention in 2012 when it was discovered that an African hacker unit was using the system to target the US government and military. At the same time, DarkComet attacks originating in Africa were launched against online gamers.

Lesueur abandoned the project in 2014 when it was discovered that DarkComet was in use by the Syrian government to spy on its citizens. The general populace had taken to employing VPNs and secure chat apps to block government surveillance, so the spyware features of DarkComet enabled the Syrian government to circumvent those security measures.


Mirage is the key RAT used by the state-sponsored Chinese hacker group known as APT15. After a very active spying campaign from 2009 to 2015, APT15 suddenly went quiet. Mirage itself was in use by the group from 2012. The detection of a Mirage variant in 2018 signaled that the group was back in action. This new RAT, known as MirageFox was used to spy on UK government contractors and was discovered in March 2018. Mirage and MirageFox each act as an agent on the infected computer. The Trojan part of the intrusion suite polls a Command and Control address for instructions. Those instructions are then implemented on the victim computer.

The original Mirage RAT was used for attacks on an oil company in the Philippines, the Taiwanese military, a Canadian energy company, and other targets in Brazil, Israel, Nigeria, and Egypt. Mirage and MirageFox get onto target systems through spear-phishing campaigns. These are usually targeted at the executives of a victim company. The Trojan is delivered embedded in a PDF. Opening the PDF causes scripts to execute and they install the RAT. The RAT’s first action is to report back to the Command and Control system with an audit of the infected system’s capabilities. This information includes the CPU speed, memory capacity and utilization, system name and username.

The initial system report makes it seem as though the designers of Mirage made the RAT in order to steal system resources rather than access data on the target system. There is no typical Mirage attack because it seems that each intrusion is tailored towards specific targets. The RAT installation can be presaged by a fact-finding campaign and system checks. For example, the 2018 attack on British military contractor NCC gained access to the system via the company’s authorized VPN service.

The fact that each attack is highly-targeted means that a lot of expense is entailed by a Mirage infection. This high cost shows that Mirage attacks usually only aim at high-value targets that the Chinese government wishes to undermine or from which to steal technology.

Dealing with Remote Access Trojan threats

Although much RAT activity appears to be government-directed, the existence of RAT tool-kits makes network intrusion a task that anyone can perform. So, RAT and APT activities are not going to be limited to attacks on the military or high tech companies, security awareness is key to stop any security breaches of your networks.

RATs combine with other malware to keep themselves hidden, which means that installing antivirus software on your computers isn’t enough to prevent hackers from controlling your system with these methods. Investigate intrusion detection systems in order to defeat this hacker strategy.

Have you experienced a network intrusion that resulted in damage or loss of data? Have you implemented an intrusion prevention strategy to head off the RAT problem? Leave a message in the Comments section below to share your experiences.

Related Post: The Best Remote Administrator Tools

Remote Access Trojans FAQs

Can a Remote Access Trojan be installed to BIOS?

Access to the BIOS has been known to the world’s hackers since 2015. Many believe that the NSA was planting RATs and trackers on BIOS even earlier.

How is a Remote Access Trojan RAT different from a regular Trojan?

A Trojan is a virus that gets onto a victim computer by passing itself off as a legitimate piece of software. A RAT is a Trojan that the hacker can use to gain regular access to the target system.

What is the Sakula Remote Access Trojan RAT?

Sakula is a RAT that is used to intrude on IT systems serving government departments and agencies, healthcare facilities, and other large organizations. Sakula acts as a hacker platform and can facilitate a range of malicious activities, including ransomware attacks.