- Jan 30, 2023
- 113
But you didn't ask the important question: How to get initial access?
So like I said, give me something I can test/run and I will post a video and show you.
Which security programs can detect and stop Metasploit's meterpreter shell?
- Thread starter Victor M
- Start date
But you didn't ask the important question: How to get initial access?
So like I said, give me something I can test/run and I will post a video and show you.
- Dec 23, 2014
- 8,591
We both know that initial access will be blocked in most cases and Meterpreter will not run. But this is prevention, not detection.
But there is no bullet-proof solution. WDAC and other hardening can be bypassed by skillful Blue Team (Red Team) and Meterpreter can be run.
The author of this thread mentioned somewhere that he want to stop the Red Team.
I cannot do such a thing. Meterpreter is used in the attack on the concrete network by using something like Metasploit. So, you can ask a Blue Team to attack your network or perform the attack by yourself.
Last edited:
- Jan 30, 2023
- 113
Well, there you go. Initial access is the most important part and something I usually see a lot of pentesters fail to consider, they just magically think the malware lands on a computer.
It's detection and prevention. You can't prevent something you can't detect. Things can get bulletproof when you use way too many security layers that compromise (think of zero days) of one or two of them at the same time will still keep you protected.
The article I linked to explains it all, it's something I compiled and refined overtime.
Almost all of the APTs successful attacks are the result of a bad administrator and misconfigured systems.
- Dec 23, 2014
- 8,591
That is true for pentesters but not for Blue Teams or Red Teams. WDAC and hardening cannot stop skillful teams.
I can. For example, by disabling macros in documents, I can prevent any malware that would be downloaded and executed by this macro.
WDAC restrictions for scripts can prevent many malware, that could be downloaded and executed.
Of course, if the malware was not downloaded it could not be detected.
Mostly yes, but we have also attacks via exploits. Metasploit can be used in such attacks. It is probable that the author of this thread is in such a situation.
Edit.
I am not sure if our discussion is still on topic and interesting for the readers. Although I like to use/test WDAC and hardening, most users will never touch such solutions.
Anyway, if the author is ready then it would be interesting to see if your tight hardening could stop his Red Team.
Last edited:
hi SpyNetGirl
I was browsing your project on github a few days ago, I was really amazed at the amount of information I read there, Being a girl and doing this on your own is really amazing ( I am surprised because I am a girl too and have never seen this before )
Also, a lot of useful information and things there can be easily understood and are educational in nature, without all of them being complex terms that are difficult for ordinary people to understand
But just out of curiosity, why would you use feminine images, gestures, and symbols (some of them sexy) in a completely technical and complex project?
Treat it as a girl to girl question and I appreciate it if you don't want to answer it in front of everyone or if it's your own thing
For me, I find this discussion useful and I learn some things from it
Thank you and thank you spyNetGirl
- Mar 2, 2023
- 1,153
@Rita I agree with the amount of information that is laid out in an understandable way on SpyNetGirl's GitHub page, and doesn't try to be over our heads. Well done @SpyNetGirl and thank you 
I also bookmarked this thread for a future re-read, as a lot of this is new and insightful to me.
I also bookmarked this thread for a future re-read, as a lot of this is new and insightful to me.
- Sep 2, 2021
- 2,630
Reminds me of CobaltStrike... The file itself is recognized by antivirus engines (Eset calls it Rozena) but if you know how to modify the code (using encryption, XOR etc.), the antivirus won't detect anything, unless it behaves suspiciously...
- Oct 22, 2018
- 591
I also find the information very interesting, and I've read and re-read much of this thread. Being on a Windows 10 Pro, with an old computer that lacks the necessary bits and pieces to run Win 11, I'm reading more to learn than to apply any of the software.
Keep this going. Lots of knowledge being posted.
Keep this going. Lots of knowledge being posted.
- Jan 30, 2023
- 113
Appreciate it @Jonny Quest and @Rita , I'm glad you find them useful ^^
I added some AI generated pics to the readme because someone had said it looked boring as a pure wall of text ^^
I added some AI generated pics to the readme because someone had said it looked boring as a pure wall of text ^^
- Oct 3, 2022
- 645
Do all edition of BitDefender have memory scanning, or only GravityZone editions?
- Feb 7, 2023
- 2,349
Home products have it as well.
- Mar 2, 2023
- 1,153
- Sep 2, 2021
- 2,630
There's also Avast/AVG which could detect this thanks to their behavioral protection (already seen in action when I targeted MSBuilder.exe . Avast reacted with detection)
- Oct 3, 2022
- 645
I have read ( What is Meterpreter ? - Security Wiki ) that meterpreter is a payload which follows on in a exploit. I have tested it many moons ago. And it doesn't require user interaction.
Yes, the red team has penetrated MalwareBytes Anti-exploit potection of apps mentioned in firewall rules. But since I am testing OpenEDR, it comes with Comodo Internet Security, which has Auto Containment. And all unknown exe's and some rarely used Windows exe's like attrib.exe, route.exe and conhost.exe are contained. I have not read that these 3 are LoL bin's, but they may be new undocumented ones. So, with Auto Containment, I am probably safe guarded from them trying to gain persistence. However, my guess is that they are using some reverse shell, and they can still copy documents and delete files without anything hampering them. And even without gaining persistence, they can re-exploit the firewall apps anytime to gain re-entry. OpenEDR also has Data Loss Prevention, but I haven't gotten to that feature yet.
Last edited:
- May 31, 2017
- 1,742
This is true. Anyone remember DoublePulsar / EternalBlue? The PoC utilized Meterpreter, and parsing / blocking the command line for Rundll32 interrupted the attack in its earliest possible stage.
- Apr 9, 2020
- 667
That is true, I read that wrong. But I answered that in 1)
- Feb 7, 2023
- 2,349
I misunderstood one of them as well, it’s from the reading speed
- Dec 23, 2014
- 8,591
You refer to my post where I wrote that your machine was compromised (you mentioned it in another thread). Your machine could be compromised with user interaction or without it. After the machine was compromised, the attacker could apply Meterpreter. If the attacker used Metasploit, then Meterpreter could be applied without user interaction.
If in your test you could run Meterpreter without user interaction then you probably did it by knowing user account credentials or(and) via exploit.
Yes, it is possible when the Red Team can still exploit something in your network/system. Anyway, I never used OpenEDR, so I cannot say how tight are your settings.
- Oct 3, 2022
- 645
You CAN install Windows 11 on older computers. You just have to follow this:
Boot the USB stick
Upon the first screen showing up. press SHIFT-F10, a cmd screen will open.
Start regedit
Find HKLM>System>Setup
New key: LabConfig
New Dword BypassTPMCheck = 1
New Dword BypassRAMCheck = 1
New Dword BypassSecureBootCheck = 1
Close regedit and continue.
