Monday, September 4, 2017

I Smell A RAT – Learning about Poison Ivy – The Capabilities

In this series of posts, I’m continuing the Open Security Training materials with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In the previous post we looked at the setup of Poison Ivy. In this post we will look at some of its usages.First up, let’s look at the “Information” menu on the left. This produces 

 

Next up, leveraging the “Files” menu, a list of files which are on the “compromised” system.


The “Registry” menu item shows the “compromised” host’s registry. This can also be interacted with.
 

The “Process” menu allows for viewing and interaction of the processes currently running on the host.
 


Similarly, the “compromised” client’s “Services”, “Devices”, “Installed Applications”, “NT/NTLM Hashes”, can be seen.

Below the “Active Ports” shows current “netstat” information.
 

The “Remote shell” option allows interaction with the “compromised” host’s shell. You first need to right click and choose “activate”. The image below shows interaction with the host’s shell.

 
Below screen shows the “NT/NTLM hashes” retrieved from the host.


As can be seen in the “Administration” section, there are options to “Edit”, “Share”, “Update”, “Restart” and even “Uninstall” the malicious binary.




1 comment:

  1. I really appreciate the information shared above. It’s of great help. MaxMunus provides Remote Support For Corporate and for Individuals. If anyone is facing any issue in his project of #IBM #QRadar, we can support them remotely , kindly Contact MaxMunus
    MaxMunus Offer World Class Industry best Consultant on #IBM #QRadar. We provide end to end Remote Support on Projects. MaxMunus is successfully doing remote support for countries like India, USA, UK, Australia, Switzerland, Qatar, Saudi Arabia, Bangladesh, Bahrain, and UAE etc.
    Avishek Priyadarshi
    MaxMunus
    E-mail: avishek@maxmunus.com
    Skype id: avishek_2.
    Ph:(0) 8553177744 / 080 - 41103383
    www.MaxMunus.com

    ReplyDelete