Mr. Robot Cleaning House at E-Corp

Share and earn Cybytes
Facebook Twitter LinkedIn Email

The second episode of Mr. Robot finds Elliot starting his new job at E-Corp. As he joins his new team and is looking to find a way to delay the shipment of all the paper data to New York facility, Elliott runs into the normal corporate middle management delays. He quickly realizes his first obstacle, William the Technology Manager, is up to no good and is deploying Rootkits on phones and selling the personal data collected. To circumvent this first obstacle, Elliot breaks out a good tool called theHarvester, and then promptly calls the feds. Watch out Evil Corp, Elliot is cleaning house, while trying to delay the stage two attack.


During a pentest, the security professionals go through a reconnaissance phase where data on the target is collected. Having used theHarvester a few times myself, I found that time spent collecting subdomains, email and SHODAN results helps to really understand vantage points into the target for exploitation. In  this episode, Elliot uses the tail command to view the results of theHarvester and get his manager’s password. He reads the email and identifies that his manager is using rootkits on the mobile devices. Elliot promptly notifies the feds. E-Corp may not be Evil for long.



Rootkits on mobile devices, laptops, servers and other types of assets are often hidden very well within the OS, thus making their discovery challenging, to say the least.™ has very advanced technology developed in a series of plugins to detect Malicious Processes, Malicious Content, Malicious File Detection and support for Yara. By using the plugins and Yara rules shown below, you can search your network for the rootkits or other malicious software.

  • 52670|Web Site Links to Malicious Content
  • 59275|Malicious Process Detection
  • 59641|Malicious Process Detection: Potentially Unwanted Software
  • 64687|Malicious Process Detection: APT1 Software Running
  • 64788|Malicious Process Detection: Malware Signed By Stolen Bit9 Certificate
  • 65548|Malicious Process Detection: User Defined Malware Running
  • 71024|Web Site Hosting Malicious Binaries
  • 71261|Linux Malicious Process Detection
  • 71263|Mac OS X Malicious Process Detection
  • 88958|Malicious File Detection: APT1 Software on System
  • 88959|Malicious File Detection: Malware Signed By Stolen Bit9 Certificate
  • 88960|Malicious File Detection: Invalid Directories
  • 88961|Malicious File Detection
  • 88962|Malicious File Detection: User Defined Malware
  • 88963|Malicious File Detection: Potentially Unwanted Software
  • 91223|Malicious Process Detection: User Defined Malware Running (Linux)
  • 91224|Malicious Process Detection: User Defined Malware Running (Mac OS X)
  • 91990|Malicious File Detection Using Yara

By searching for three terms “Malicious File, Malicious Process, and Hosting Malicious,” you can easily locate all the plugins which provide indications of rootkits in your network.  

Search Filter

In my test data, you can see I have one system I need to investigate. The plugins will return files and URLs to help you better understand and defend against the malware or rootkit.  

Malicious Results

Modern Attack Surface

The detection of rootkits was difficult when confined to managed devices, but now that the modern IT landscape consists of web apps, containers, cloud instances and IoT, the ability to detect rootlets becomes even more challenging. is the first Cyber Exposure platform to provide you with holistic visibility across your modern attack surface, allowing you to detect rootkits or other malicious software on your network. Start a free 60-day trial of for your organization today.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play

Support Cybrary

Donate Here to Get This Month's Donor Badge

Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?