Process Discovery
- Agent Tesla, a spyware Trojan, has the capability to list running processes.
- Emotet, a modular malware variant, discovers local processes.
- Ryuk, a ransomware, discovers processes using native API CreateToolhelp32Snapshot.
- Mirai, a botnet malware that has been observed discovering competing botnet malware and removing it.
pspy
A good tool for process discovery. It is important to know which binary you need to use for your target. Using the incorrect version will not just waste time, it will also increase the footprint of your actions and thus the chance of being discovered by the blue team.
In order to find out the architecture of the system, you can use the uname command as follows with --machine or short -m flag.
i386for 32-bit architecture.i686for 32-bit architecture.x86_64for 64-bit architecture.
Select the Binary
SSH into the target ssh student@server.
Check the architecture with uname -m. The output is x86_64. The architecture of the target server is 64-bit. Therefore, you can use the 64-bit version binary.
Check the presence of the libc library with ldconfig --print-cache.
Inspecting the output, we can see a line libc.so.6 (libc6,x86-64, OS ABI: Linux 3.2.0) => /lib/x86_64-linux-gnu/libc.so.6 that indicates the library libc is on the target. Therefore, we can use the small version.
Choosing the binary. You need to load pspy64s to /home/student/ on server.
Run the following command from desktop: scp ~/Desktop/tools/pspy64s student@server:/home/student/pspy64s
We can use tee for logging. Example of command:
command | tee out.txt