Monday, September 4, 2017

I Smell A RAT – Learning about Poison Ivy – The Capabilities

In this series of posts, I’m continuing the Open Security Training materials with this set of post being more focused on the Malware Analysis class.

You may find reviewing the material from Open Security more beneficial. However, if you do choose to stick with this I hope you find it helpful.

In the previous post we looked at the setup of Poison Ivy. In this post we will look at some of its usages.First up, let’s look at the “Information” menu on the left. This produces 

 

Next up, leveraging the “Files” menu, a list of files which are on the “compromised” system.


The “Registry” menu item shows the “compromised” host’s registry. This can also be interacted with.
 

The “Process” menu allows for viewing and interaction of the processes currently running on the host.
 


Similarly, the “compromised” client’s “Services”, “Devices”, “Installed Applications”, “NT/NTLM Hashes”, can be seen.

Below the “Active Ports” shows current “netstat” information.
 

The “Remote shell” option allows interaction with the “compromised” host’s shell. You first need to right click and choose “activate”. The image below shows interaction with the host’s shell.

 
Below screen shows the “NT/NTLM hashes” retrieved from the host.


As can be seen in the “Administration” section, there are options to “Edit”, “Share”, “Update”, “Restart” and even “Uninstall” the malicious binary.




No comments:

Post a Comment