Home Articles Finding Metasploit’s Meterpreter Traces with Memory Forensics

Finding Metasploit’s Meterpreter Traces with Memory Forensics

0
0
4,306

Metasploit Framework is very popular not only among pentesters, but also quite often used by real adversaries. So why memory forensics is very important here? Because, for example, Meterpreter, an advanced, dynamically extensible Metasploit’s payload, resides entirely in memory and writes nothing to victim’s drive. In this article we will show you how to use Volatility Framework to find Metasploit’s traces with memory forensics.

As we are analyzing a memory image, first of all we should gather information about the operating system to choose the right Volatility profile. If you ask us, the best practice here is to document the OS version during memory imaging process, as Volatility not always detects it right. Anyway, if you got the memory image from the third party and OS version is unknown, use imageinfo plugin:

So this time Volatility guessed OS version right – it really was Windows 7 x86 with SP1. Ok, let’s look at the process list using pslist plugin:

Do you see anything potentially malicious? What about the process with PID 3000? Hmm, probably, the user initiated antivirus updating process? But the strange thing is that this process exited 42 seconds after the start. Let’s go further and look at network connections using netscan plugin:

Ouch, an unknown process established connection to 192.168.1.39:4444. If you don’t know, 4444 is the default Metasploit port to connect back to. As Meterpreter injects itself into the compromised process, let’s try to find it using malfind plugin:

It seems like Meterpreter migrated to svchost.exe with PID 3312. Let’s dump it to a file and check if it’s detected by antiviruses:

Wait, wha-a-a-a-at?! Only joking, it’s not that bad:

Anyway, it’s not detected by lots of popular antiviruses, like McAfee, Malwarebytes, DrWeb, etc. Shame on them!

If you like using YARA rules for malware detection, you can write your own rule or find some rules online, and use yarascan plugin:

In this example we used a simple rule we have written:

rule Oh_No_Its_Meterpreter
{
meta:
author = "0136"
description = "Oh no, it's the Meterpreter!"
strings:
$a = { 6D 65 74 73 72 76 2E 64 6C 6C 00 00 52 65 66 6C 65 63 74 69 76 65 4C 6F 61 64 65 72 }
$b = "stdapi_" ascii nocase

condition:
$a and $b
}

So it’s seems that everything started from running that process with PID 3000. If we go back to pslist output, we see that the only web-browser running is Internet Explorer (iexplore.exe, PIDs 2568 and 2640). Let’s check browsing history using iehistory plugin:

Bingo! The victim downloaded antivirus_update.exe from server with IP-address we have already seen! But what made her or him to do it? Let’s dump Internet Explorer’s processes memory with memdump plugin and search for “antivirus” string:

Ok, as you can see, attacker used social engineering and shortened link to trick the victim. So the victim downloaded the file, ran it, the attacker got the meterpreter session and migrated it to svchost.exe (PID 3312).

But did the victim really ran it? Let’s find the evidence of execution! First of all, let’s use shimcache plugin, as it’s used to track compatibility issues with executed programs and may contain evidence we are looking for:

Yes, we got it! Let’s go further, and use Registry forensics running userassist plugin:

Wow! Two times! Our victim isn’t very smart! What else can be used for getting the evidence of execution? For example, prefetch files. Yes, you can find these pieces of evidence in memory too, Volatility even have a plugin for it – prefetchparser.

Unfortunatelly, prefetching was disabled on our victim’s system, so we haven’t got any evidence.

Ok, we have gathered quite a lot, but there is one more thing to check – persistence! There is a very nice plugin to detect most common persistence techniques used by adversaries – autoruns:

As you can see, our victim don’t have to run the “Antivirus Update” anymore, it will be started automatically with each reboot. That’s it.

Happy forensicating!

About the authors

Oleg Skulkin, GCFA, MCFE, ACE, is a DFIR enthusional (enthusiast + professional), Windows Forensics Cookbook and Practical Mobile Forensics co-author.

Igor Mikhaylov, MCFE, EnCE, ACE, OSFCE, is a digital forensic examiner with more than 20 years of experience and Mobile Forensics Cookbook author.

Load More Related Articles
  • Cloud Forensics: pCloud Drive

    We continue our unforgetable journey to the world of cloud forensics. This time we are goi…
  • Cloud Forensics: Box

    It seems we really enjoy forensicating desktop apps for cloud services. Last week we start…
  • Cloud Forensics: Analyzing MEGASync

    Nowadays almost everybody have an account at this or that cloud service. Dropbox, One Driv…
Load More In Articles

Leave a Reply

Your email address will not be published. Required fields are marked *