- Oct 3, 2022
- 395
Does anyone know which security programs can detect and stop Metasploit's meterpreter shell ?
Last edited:
Which security programs can detect and stop Metasploit's meterpreter shell?
- Thread starter Victor M
- Start date
- Mar 10, 2023
- 144
I remember in the changelogs that WiseVector was able to stop malware using Meterpreter techniques, but the software is discontinued now.
It seems that MBAE is not protecting against network based exploits, but the topic is old and that may have changed over the years.
forums.malwarebytes.com
Since it is using DLL injection, I am not sure even if Comodo can stop it now (at least with the HIPS module) since "Monitor DLL Injections" was removed in version 5 because it gave a lot of popups. But the Containment should be able to block it:
malwaretips.com
You probably can give OSArmor, Spyshelter, AppGuard a try (and the built-in features in Windows - ask @Andy Ful for more info).
It seems that MBAE is not protecting against network based exploits, but the topic is old and that may have changed over the years.
Meterpreter/Metasploit
Does Malwarebytes detect different variations of meterpreter or other metasploit infections? Would a meterpreter infection be identified as meterpreter or just something generic? Also, what version of malwarebytes started using HIPS? Thanks guys
forums.malwarebytes.com
Since it is using DLL injection, I am not sure even if Comodo can stop it now (at least with the HIPS module) since "Monitor DLL Injections" was removed in version 5 because it gave a lot of popups. But the Containment should be able to block it:
Need Advice - Does Comodo FLS protect from DLL hijacking or process injection?
I disabled HIPS on my CF setup. My only real-time protection is CFs file lookup server and VirusScope. What would happen if a legit program tries to load infected DLL? Does CF protect against it?
malwaretips.com
You probably can give OSArmor, Spyshelter, AppGuard a try (and the built-in features in Windows - ask @Andy Ful for more info).
- Feb 7, 2023
- 1,745
Products with IPS and/or memory content scanning (Kaspersky, Bitdefender, Check Point, Sentinel One, CrowdStrike) will be able to block it more effectively.
- Dec 23, 2014
- 8,167
It is a lot easier to prevent Meterpreter, than trying to detect it. Currently, Meterpreter can use encryption, obfuscation, and execute its payloads filelessly. The AVs can detect many Meterpreter techniques used in the past, but the new techniques applied in Metasploit can bypass detection.
Anyway, If the machine is not yet compromised, then the attacker must convince the user to run the exploit or stager (script, weaponized document, etc.) to load Meterpreter into memory. There are several solutions that can prevent running stagers. It is hard to exploit the machine with Windows 10/11, if the system and software are regularly patched.
Some solutions can block payload delivery by blocking Administrative shares, vulnerable protocols, WebDav connections, LOLBins, etc.
If your machine is already compromised, then you should focus on the persistence method.
Anyway, If the machine is not yet compromised, then the attacker must convince the user to run the exploit or stager (script, weaponized document, etc.) to load Meterpreter into memory. There are several solutions that can prevent running stagers. It is hard to exploit the machine with Windows 10/11, if the system and software are regularly patched.
Some solutions can block payload delivery by blocking Administrative shares, vulnerable protocols, WebDav connections, LOLBins, etc.
If your machine is already compromised, then you should focus on the persistence method.
Last edited:
Does Bitdefender Free have memory content scanning?
- Mar 16, 2019
- 3,640
No, at the moment only available in Bitdefender paid versions.
Some questions:
1. How would you explain memory content scanning, exactly?
2. What is the relationship between memory content scanning and behavior blocking?
3. Is memory content scanning only useful for detecting fileless malware?
4. Is not having memory content scanning a major drawback for an antivirus product?
5. Which major antivirus vendors do not offer memory content scanning capabilities currently?
- Feb 7, 2023
- 1,745
Traditional scanners only get the path of images/modules loaded in memory and then scan them on disk. In cases such as process hollowing and other in-memory threats/manipulations, this is not effective. Memory content scanning scans the actual code and in memory, it is already in its true form, all layers of obfuscation have been peeled.
The two technologies are very different, behavioural blocking monitors the usage of native Windows APIs (calls), file/ registry entries creation and others. For that, it installs kernel drivers and user-mode hooks. There may be some sharing of information between memory scanning and behavioural blocking but vendors are unlikely to disclose this information.
It’s useful for all types of malware where heavy obfuscation is used as other technologies such as static and dynamic analysis are prone to evasion.
I wouldn’t say it’s a major drawback but the product will inevitably be less effective against many types of threats.
Norton, Avast, AVG, Avira (with all AVs based on it) and I am not entirely sure if memory scanning is offered with the Bitdefender SDK. If it is not, then all BD-based AVs except G Data don’t have it.
Post edited as I originally misunderstood one of the questions.
Last edited:
- May 29, 2021
- 384
This I found:
F-Secure Safe is a product that includes both Intrusion Prevention System (IPS) and memory content scanning capabilities. F-Secure Safe is a next-generation firewall and intrusion prevention system that provides advanced threat protection for homes and small businesses. It uses advanced technologies such as machine learning and behavioral analysis to detect and block complex threats, including malware, viruses, trojans, and ransomware.In addition to IPS, F-Secure Safe also includes memory content scanning capabilities that can detect and remove malware and other threats from system memory. This helps to protect against attacks that may have bypassed traditional security controls, such as antivirus software, and ensures that the system is free from infections.F-Secure Safe also provides other advanced features such as:* Advanced Threat Protection: Uses machine learning and behavioral analysis to detect and block complex threats.* URL Filtering: Blocks access to harmful websites and prevents phishing attacks.* Application Control: Allows you to control which applications can access the internet.* Parental Control: Provides web filtering and application blocking to help protect children from inappropriate content.* Vulnerability Management: Identifies and patches vulnerabilities in your system and applications.Overall, F-Secure Safe provides comprehensive protection against cyber threats, including both network-based and memory-based attacks.
F-Secure Safe is a product that includes both Intrusion Prevention System (IPS) and memory content scanning capabilities. F-Secure Safe is a next-generation firewall and intrusion prevention system that provides advanced threat protection for homes and small businesses. It uses advanced technologies such as machine learning and behavioral analysis to detect and block complex threats, including malware, viruses, trojans, and ransomware.In addition to IPS, F-Secure Safe also includes memory content scanning capabilities that can detect and remove malware and other threats from system memory. This helps to protect against attacks that may have bypassed traditional security controls, such as antivirus software, and ensures that the system is free from infections.F-Secure Safe also provides other advanced features such as:* Advanced Threat Protection: Uses machine learning and behavioral analysis to detect and block complex threats.* URL Filtering: Blocks access to harmful websites and prevents phishing attacks.* Application Control: Allows you to control which applications can access the internet.* Parental Control: Provides web filtering and application blocking to help protect children from inappropriate content.* Vulnerability Management: Identifies and patches vulnerabilities in your system and applications.Overall, F-Secure Safe provides comprehensive protection against cyber threats, including both network-based and memory-based attacks.
- Feb 7, 2023
- 1,745
It doesn’t provide IPS for sure and it doesn’t provide memory content scanning unless it’s been developed recently. It also doesn’t have a firewall or application control. ChatGPT is making it up.
- May 29, 2021
- 384
You're probably right, but show me something that's safe, everything can be broken, it's just a matter of time
- Feb 7, 2023
- 1,745
That’s true, but it will be easier to evade products without memory content scanning than products with that. @struppigel is the best person to explain that, maybe he can do a YouTube video on the subject.You're probably right, but show me something that's safe, everything can be broken, it's just a matter of time
- May 29, 2021
- 384
I don't know if this is the same, but on f-secure's website it says this: PFV-Metasploit Summary PFV-Metasploit files are WMF documents containing exploit for Windows WMF SetAbortProc flaw. Removal Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
- Apr 9, 2020
- 656
1. It means scanning parts of the RAM with detection signatures, e.g., the process memory. It has the advantage that the payload is in its unpacked form in memory, so packing is not effective against it. It has the disadvantage that memory scanning is rather bad for performance and can only be done if there is sufficient reason/suspicion to assume that the proces is worth scanning. It also means that the sample may have executed some instructions already at the time of scan -- depending when the process was determined to be suspicious.
2. That depends on the security product. There might be one if the behavior monitor is used to determine suspicious processes, there might also be none. Memory scanning is defnitely not behavior blocking if that is the question.
3. No. Fileless malware resides in the registry. You can actually detect it just by scanning the registry. You do not need memory scanning for that.
4. Depends what else they have. Is not having pants a major drawback for everyone? Some people wear skirts instead. If have you have nothing else to wear, though, it might be an issue.
Similarly some AVs might have, e.g., a very good emulation or generic unpacking techniques to defeat packed malware and do not need memory scanning.
5. ¯\_(ツ)_/¯
- Feb 7, 2023
- 1,745
Metasploit can be sneaked in via many methods, thr WMF exploit if from 2005-2006 and has been patched more than a decade ago. F-Secure provides traditional file and behavioural-based detections against metasploit.
@struppigel , on 3 @likeastar20 means apart from fileless malware, what else can be detected via memory scanning. Not if it is the only technology to block that effectively.
- Dec 23, 2014
- 8,167
This project looks interesting:
github.com
GitHub - DamonMohammadbagher/ETWProcessMon2: ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc.
ETWProcessMon2 is for Monitoring Process/Thread/Memory/Imageloads/TCPIP via ETW + Detection for Remote-Thread-Injection & Payload Detection by VirtualMemAlloc Events (in-memory) etc. - GitHub -...
github.com
- Jan 30, 2023
- 113
Windows will protect against things like that for free without the need for 3rd party programs
github.com
Run the module in few seconds (all categories of course), restart the system, perform your tests
GitHub - HotCakeX/Harden-Windows-Security: Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Personal, Ente
Harden Windows Safely, Securely using Official Supported Microsoft methods and proper explanation | Always up-to-date and works with the latest build of Windows | Provides tools and Guides for Pers...
github.com
Run the module in few seconds (all categories of course), restart the system, perform your tests
- Dec 23, 2014
- 8,167
Probably yes (in most cases). There are several solutions that can prevent such attacks by blocking the Meterpreter stagers.
But (for the record) they will not detect Meterpreter.
- Jan 30, 2023
- 113
Solutions needed is there in the GitHub repo, they are detected and blocked.
There is also Microsoft Sentinel for extreme visibility.
Also suggest reading this post: Harden-Windows-Security/Rationale.md at main · HotCakeX/Harden-Windows-Security
Edit: Give me a PoC and I will run it on a hardened environment while recording a video, it will be for the record
Last edited:
- Dec 23, 2014
- 8,167
Interesting. I have some questions:
How do you know that the in-memory DLL injection is related to Meterpreter and not to another malware?
Which part of your solution detects reflective DLL loading? If I correctly remember, WDAC cannot cover all such techniques.
Did you test your solution against Meterpreter attacks started with exploits?
Similar threads
