Tips for an Information Security Analyst/Pentester career - Ep. 52: Meterpreter detection (pt. 2)

Resuming from where we left off in the first part, we can now move further with our analysis.

Windows Event logs analysis

By filtering the Security log by Critical, Warning and Error entries, I could find an interesting event (ID 1116), related to a Trojan horse detection.

No alert had popped up, though, and this is because Ms Security Essentials was stopped, as shown by another event.

Within the filter window, you'll notice an XML tab.

Filtering event logs with PowerShell 

By copying the XML code found before, we can leverage PowerShell to return all the events matching that XML code and redirect them to an output file.

Now, this isn't very beneficial in this specific case, with 5 such events only, but think of big corporate environments where you have to sift through hundred thousand events.

That would definitely give you an edge.

Snort signatures

I found some signatures related to several security threats online, including Meterpreter signatures.

After downloading them, I extracted only the rules related to Meterpreter, through the command cat emerging-all.rules | grep -i Meterpreter > meterpreter_rules

Then I installed Snort in a second Kali Linux VM (2017 v 2) and attacked Windows 7 with my Kali 2017 v 3 VM.

All I could get was a potentially bad traffic alert. 

I think I need better rules for that.

I'll try yet more advanced stuff in the upcoming post, so stay tuned!

External sources 

Episode 53

Episode 51