In
this series of posts, I’m continuing the Open Security Training materials with
this set of post being more focused on the Malware Analysis class.
You may find reviewing
the material from Open Security more beneficial. However, if you do choose to
stick with this I hope you find it helpful.
In the previous post we looked at the setup of Poison Ivy. In this
post we will look at some of its usages.First up, let’s look at the “Information” menu on the left. This produces
Next up, leveraging
the “Files” menu, a list of files which are on the “compromised” system.
The “Registry” menu
item shows the “compromised” host’s registry. This can also be interacted with.
The “Process” menu
allows for viewing and interaction of the processes currently running on the
host.
Similarly, the “compromised”
client’s “Services”, “Devices”, “Installed Applications”, “NT/NTLM Hashes”, can
be seen.
Below the “Active
Ports” shows current “netstat” information.
The “Remote shell”
option allows interaction with the “compromised” host’s shell. You first need
to right click and choose “activate”. The image below shows interaction with
the host’s shell.
As can be seen in
the “Administration” section, there are options to “Edit”, “Share”, “Update”, “Restart”
and even “Uninstall” the malicious binary.
References:
Open Security Training – Malware Class
POISON IVY: Assessing Damage and Extracting Intelligence
iTrust Consulting - APT1: technical backstage
Open Security Training – Malware Class
POISON IVY: Assessing Damage and Extracting Intelligence
iTrust Consulting - APT1: technical backstage
No comments:
Post a Comment