In this 2nd part of our 3-part video series, we show how ECAT provides a detailed analysis of an endpointed infected by the DarkComet RAT. In the first post we showed how to create your own malware with DarkComet and take full control of a target machine without triggering AV detection.
In this latest video, we show how ECAT flags the machine as compromised by detecting mismatches between live memory and the corresponding files on disk, analyzing network traffic, finding suspicious Windows hooks and floating code, and more. Each analyzed component is assigned a suspect level, and cumulatively we can see that the overall Machine Suspect Level (MSL) goes from 0 (clean) prior to the infection to 97 (bad!) subsequently. A console operator running ECAT with the agent deployed on the desktops would get alerted immediately after ECAT completed a scan of a machine compromised in this manner. Stay tuned for Part 3 in our series where we’ll show how to use ECAT for remote forensic data gathering and remediation.
Our mailing list
Silicium Security has been acquired by EMC and is now part of RSA, The Security Division of EMC. Find more details here . The ECAT team is based in Quebec, Canada. For more information about ECAT Advanced Malware Detection, email us at firstname.lastname@example.org or get our full contact details here. You can stay updated by subscribing to our newsletter or our blog.