Jump to content

Latest ESET products not detecting apt tools

thrilla_killa
 Share

Recommended Posts

thrilla_killa

thrilla_killa 0

Posted
  • Author
Posted

I get that as well.  Trust me, I completely know and understand how to strengthen security.  That is my Blue Team's job.  On the Red Team, my goal is to emulate threat actors and processes.  In this case, again, very generic attacks were undetected from the client level.  Other segments using other solutions detected these items and stopped them during or before runtime.

Link to comment
Share on other sites
itman

itman 1,659

Posted
Posted

I am going to make one final comment and its in regards to Metasploit.

Its legitimate use is to find system vulnerabilities. Its used illegitimately by attackers to exploit those vulnerabilities. It is universally agreed upon in the security community that one's best protection against being exploited is to apply all OS and software patches for them as soon as they are made available.

There will always be software vulnerabilities and a 0-day to exploit an unknown one. Thankfully these are rare occurrence evidenced by their $100K plus price tag on the dark web.

GitHub has a good article on Metasploit here: https://github.com/rapid7/metasploit-framework/wiki/How-to-use-a-Metasploit-module-appropriately :

Quote

What conditions the server must meet in order to be exploitable: Quite often, a vulnerability requires multiple conditions to be exploitable. In some cases you can rely on the exploit's check command, because when Metasploit flags something as vulnerable, it actually exploited the bug.

As far as Next Gen protection against a 0-day exploit, I say it is no better than conventional AV solutions. This is simply because their AI engines have not been sufficiently "tuned" to recognize the new behavior being used. However, there are solutions like Cylance that will throw alerts on anything it hasn't seen run before regards of if the behavior is malicious or not.

Even a whitelisting anti-exec solution isn't 100% effective since a trusted "forgotten" system utility process can be deployed as recent attack history has illustrated.

Link to comment
Share on other sites
thrilla_killa

thrilla_killa 0

Posted
  • Author
Posted

Metasploit was not used to exploit vulnerabilities. Neither was the Metasploit "check" module.  MSFVenom was used to compile payloads.  The payload was not Meterpreter, it was a reverse TCP shell that could be caught by netcat (nc).

Link to comment
Share on other sites
Guest
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...