Serious Discussion Which security programs can detect and stop Metasploit's meterpreter shell?

B-boy/StyLe/

Level 3
Verified
Well-known
Mar 10, 2023
147
I remember in the changelogs that WiseVector was able to stop malware using Meterpreter techniques, but the software is discontinued now.

4. Improved Memory Protection to detect RAT trojan abuses legitimate processes to hide their malicious implants, such as Gh0st, Meterpreter and CobaltStrike.

It seems that MBAE is not protecting against network based exploits, but the topic is old and that may have changed over the years.


Since it is using DLL injection, I am not sure even if Comodo can stop it now (at least with the HIPS module) since "Monitor DLL Injections" was removed in version 5 because it gave a lot of popups. But the Containment should be able to block it:


You probably can give OSArmor, Spyshelter, AppGuard a try (and the built-in features in Windows - ask @Andy Ful for more info). :)
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
It is a lot easier to prevent Meterpreter, than trying to detect it. Currently, Meterpreter can use encryption, obfuscation, and execute its payloads filelessly. The AVs can detect many Meterpreter techniques used in the past, but the new techniques applied in Metasploit can bypass detection.

Anyway, If the machine is not yet compromised, then the attacker must convince the user to run the exploit or stager (script, weaponized document, etc.) to load Meterpreter into memory. There are several solutions that can prevent running stagers. It is hard to exploit the machine with Windows 10/11, if the system and software are regularly patched.
Some solutions can block payload delivery by blocking Administrative shares, vulnerable protocols, WebDav connections, LOLBins, etc.
If your machine is already compromised, then you should focus on the persistence method. (y)
 
Last edited:

likeastar20

Level 9
Verified
Mar 24, 2016
410
No, at the moment only available in Bitdefender paid versions.
Some questions:

1. How would you explain memory content scanning, exactly?

2. What is the relationship between memory content scanning and behavior blocking?

3. Is memory content scanning only useful for detecting fileless malware?

4. Is not having memory content scanning a major drawback for an antivirus product?

5. Which major antivirus vendors do not offer memory content scanning capabilities currently?
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,355
How would you explain memory content scanning, exactly?
Traditional scanners only get the path of images/modules loaded in memory and then scan them on disk. In cases such as process hollowing and other in-memory threats/manipulations, this is not effective. Memory content scanning scans the actual code and in memory, it is already in its true form, all layers of obfuscation have been peeled.

What is the relationship between memory content scanning and behavior blocking?
The two technologies are very different, behavioural blocking monitors the usage of native Windows APIs (calls), file/ registry entries creation and others. For that, it installs kernel drivers and user-mode hooks. There may be some sharing of information between memory scanning and behavioural blocking but vendors are unlikely to disclose this information.

Is memory content scanning only useful for detecting fileless malware?
It’s useful for all types of malware where heavy obfuscation is used as other technologies such as static and dynamic analysis are prone to evasion.

Is not having memory content scanning a major drawback for an antivirus product?
I wouldn’t say it’s a major drawback but the product will inevitably be less effective against many types of threats.


Which major antivirus vendors do not offer memory content scanning capabilities currently?
Norton, Avast, AVG, Avira (with all AVs based on it) and I am not entirely sure if memory scanning is offered with the Bitdefender SDK. If it is not, then all BD-based AVs except G Data don’t have it.

Post edited as I originally misunderstood one of the questions.
 
Last edited:

franz

Level 9
Verified
Well-known
May 29, 2021
423
This I found:

F-Secure Safe is a product that includes both Intrusion Prevention System (IPS) and memory content scanning capabilities. F-Secure Safe is a next-generation firewall and intrusion prevention system that provides advanced threat protection for homes and small businesses. It uses advanced technologies such as machine learning and behavioral analysis to detect and block complex threats, including malware, viruses, trojans, and ransomware.In addition to IPS, F-Secure Safe also includes memory content scanning capabilities that can detect and remove malware and other threats from system memory. This helps to protect against attacks that may have bypassed traditional security controls, such as antivirus software, and ensures that the system is free from infections.F-Secure Safe also provides other advanced features such as:* Advanced Threat Protection: Uses machine learning and behavioral analysis to detect and block complex threats.* URL Filtering: Blocks access to harmful websites and prevents phishing attacks.* Application Control: Allows you to control which applications can access the internet.* Parental Control: Provides web filtering and application blocking to help protect children from inappropriate content.* Vulnerability Management: Identifies and patches vulnerabilities in your system and applications.Overall, F-Secure Safe provides comprehensive protection against cyber threats, including both network-based and memory-based attacks.
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,355
This I found:

F-Secure Safe is a product that includes both Intrusion Prevention System (IPS) and memory content scanning capabilities. F-Secure Safe is a next-generation firewall and intrusion prevention system that provides advanced threat protection for homes and small businesses. It uses advanced technologies such as machine learning and behavioral analysis to detect and block complex threats, including malware, viruses, trojans, and ransomware.In addition to IPS, F-Secure Safe also includes memory content scanning capabilities that can detect and remove malware and other threats from system memory. This helps to protect against attacks that may have bypassed traditional security controls, such as antivirus software, and ensures that the system is free from infections.F-Secure Safe also provides other advanced features such as:* Advanced Threat Protection: Uses machine learning and behavioral analysis to detect and block complex threats.* URL Filtering: Blocks access to harmful websites and prevents phishing attacks.* Application Control: Allows you to control which applications can access the internet.* Parental Control: Provides web filtering and application blocking to help protect children from inappropriate content.* Vulnerability Management: Identifies and patches vulnerabilities in your system and applications.Overall, F-Secure Safe provides comprehensive protection against cyber threats, including both network-based and memory-based attacks.
It doesn’t provide IPS for sure and it doesn’t provide memory content scanning unless it’s been developed recently. It also doesn’t have a firewall or application control. ChatGPT is making it up.
 

franz

Level 9
Verified
Well-known
May 29, 2021
423
That’s true, but it will be easier to evade products without memory content scanning than products with that. @struppigel is the best person to explain that, maybe he can do a YouTube video on the subject.
I don't know if this is the same, but on f-secure's website it says this: PFV-Metasploit Summary PFV-Metasploit files are WMF documents containing exploit for Windows WMF SetAbortProc flaw. Removal Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
 

struppigel

Super Moderator
Verified
Staff Member
Well-known
Apr 9, 2020
667
Some questions:

1. How would you explain memory content scanning, exactly?

2. What is the relationship between memory content scanning and behavior blocking?

3. Is memory content scanning only useful for detecting fileless malware?

4. Is not having memory content scanning a major drawback for an antivirus product?

5. Which major antivirus vendors do not offer memory content scanning capabilities currently?

1. It means scanning parts of the RAM with detection signatures, e.g., the process memory. It has the advantage that the payload is in its unpacked form in memory, so packing is not effective against it. It has the disadvantage that memory scanning is rather bad for performance and can only be done if there is sufficient reason/suspicion to assume that the proces is worth scanning. It also means that the sample may have executed some instructions already at the time of scan -- depending when the process was determined to be suspicious.

2. That depends on the security product. There might be one if the behavior monitor is used to determine suspicious processes, there might also be none. Memory scanning is defnitely not behavior blocking if that is the question.

3. No. Fileless malware resides in the registry. You can actually detect it just by scanning the registry. You do not need memory scanning for that.

4. Depends what else they have. Is not having pants a major drawback for everyone? Some people wear skirts instead. If have you have nothing else to wear, though, it might be an issue.
Similarly some AVs might have, e.g., a very good emulation or generic unpacking techniques to defeat packed malware and do not need memory scanning.

5. ¯\_(ツ)_/¯
 

Trident

Level 34
Verified
Top Poster
Well-known
Feb 7, 2023
2,355
I don't know if this is the same, but on f-secure's website it says this: PFV-Metasploit Summary PFV-Metasploit files are WMF documents containing exploit for Windows WMF SetAbortProc flaw. Removal Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
Metasploit can be sneaked in via many methods, thr WMF exploit if from 2005-2006 and has been patched more than a decade ago. F-Secure provides traditional file and behavioural-based detections against metasploit.

@struppigel , on 3 @likeastar20 means apart from fileless malware, what else can be detected via memory scanning. Not if it is the only technology to block that effectively.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380

SpyNetGirl

Level 3
Well-known
Jan 30, 2023
113
Windows will protect against things like that for free without the need for 3rd party programs


Run the module in few seconds (all categories of course), restart the system, perform your tests
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Windows will protect against things like that for free without the need for 3rd party programs

Probably yes (in most cases). There are several solutions that can prevent such attacks by blocking the Meterpreter stagers.
But (for the record) they will not detect Meterpreter.
 

SpyNetGirl

Level 3
Well-known
Jan 30, 2023
113
Probably yes (in most cases). There are several solutions that can prevent such attacks by blocking the Meterpreter stagers.
But (for the record) they will not detect Meterpreter.

Solutions needed is there in the GitHub repo, they are detected and blocked.

There is also Microsoft Sentinel for extreme visibility.

Also suggest reading this post: Harden-Windows-Security/Rationale.md at main · HotCakeX/Harden-Windows-Security

Edit: Give me a PoC and I will run it on a hardened environment while recording a video, it will be for the record ;)
 
Last edited:

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,380
Solutions needed is there in the GitHub repo, they are detected and blocked.
Interesting. I have some questions:
How do you know that the in-memory DLL injection is related to Meterpreter and not to another malware?
Which part of your solution detects reflective DLL loading? If I correctly remember, WDAC cannot cover all such techniques.
Did you test your solution against Meterpreter attacks started with exploits?
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top