Tips for an Information Security Analyst/Pentester career - Ep. 53: Meterpreter detection (pt. 3)
Let's now continue our analysis of a system compromised by a Meterpreter payload.
Forensic tools
I created a memory dump with OS Forensics and I analyzed it in combination with Volatility.
By copying the Windows standalone executable, available here, to the OS Forensics folder, it is possible to use Volatility inside OS Forensics, as explained in this tutorial.
However, an analysis with Volatility didn't reveal anything suspicious going on (more details in the embedded video)
Detection tools
As explained in the previous part, neither MS Security Essentials nor other tools had detected anything suspicious, even though I knew there was a payload in memory (I created it!!).
Therefore, I used a different detection tool, along with ESET Online Antivirus Scanner.
I had migrated to a system process, after my previous exploit, so I was stealthy.
I wanted to see, though, what happened with these two tools when I first hacked into the system, and they both rose to the occasion.
Meterpreter Payload Detection tool found my payload in memory and so ESET.
Evasion
I also used Veil to add another layer of evasion to my payload, but both tools detected it just the same.
I had also killed my previously opened Meterpreter sessions, in order to understand how successful my attack would be.
Every time Meterpreter tried to open a new session, Meterpreter Payload Detection blocked the reverse connection and I couldn't pop up a shell.
Metasploit simply hung and froze there.
Extremely frustrating for an attacker/red teamer, but surely good news for a defender/blue teamer.
Wrap-up
As this post and the two previous ones highlight, defenders have to be on top of the attacking techniques for them to recognize certain patterns and signatures and successfully block the attack. It's a cat and mouse game.
Defenders try to move the cheese around and attackers try to find a way to go around traps and steal the cheese.
I'll probably go back to this topic with more in-depth posts but feel free to comment and provide any feedback you'd feel appropriate and helpful.
Of course, malware can become much more sophisticated and dangerous than that.
I'd recommend to check out this very good webinar on AV evasion from Black Hills Cyber Security, for more ideas about this topic (no, John Strand didn't pay me for this. I only happen to deeply respect him and his company).
Episode 54
Episode 52
Of course, malware can become much more sophisticated and dangerous than that.
I'd recommend to check out this very good webinar on AV evasion from Black Hills Cyber Security, for more ideas about this topic (no, John Strand didn't pay me for this. I only happen to deeply respect him and his company).
Episode 54
Episode 52
Comments
Post a Comment