Detecting Metasploit

Rule added on 30th April, 2024

Rule type:

Correlation

Rule description:

Metasploit is an open-source penetration testing framework widely used by both cybersecurity specialists and attackers to identify vulnerabilities on target networks and exploit them for various purposes. It is maintained by Rapid7 and provides tools and exploits to conduct penetration tests and security assessments.

Impact:

It can be used by adversaries in the following ways:

• Privilege escalation on compromised systems
• Brute force
• Lateral movement
• Data Exfiltration

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Software

Criteria:

((Command line contains msfvenom) OR (Command line contains msfconsole) OR (Command line contains msfd) OR (Command line contains msfelfscan) OR (Command line contains msfrpc))

'msfvenom'- It is a tool used by the attackers to generate malicious payloads.

'msfconsole'- Is is an interface of Metasploit which could be used for the execution of exploits.

'msfd'- It helps in providing msfconsole to attackers to execute malicious commands on target's system.

'msfelfscan'- It is used by attackers to scan for vulnerable executable files on victim systems.

'msfrpc'- It is the Remote Prodecdure Call (RPC) interface of Metasploit which allows attackers to interact between various services and tools within Metasploit.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

PR.PS-05: Installation and execution of unauthorized software are prevented

When this rule is triggered, you're notified when the Rapid7 tools are being used within the network to conduct penetration testing and security assessments. This enables you to take prompt action by executing workflows to stop the malicious process and place stronger access control measures.

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when the metasploit framework is being used within the network. This enables you to take prompt action by executing workflows to stop the malicious process and place stronger access control measures.

Known false positives: It is used by cybersecurity professionals and ethical hackers to assess the security posture of organizations.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Network Traffic Analysis: Monitor and analyze the network traffic for identifying the signatures and patterns associated with Metasploit such as anomalous traffic on SMB ports.