Jump to content

RiskWare.Meterpreter.Q false positive or potential compromise?


Recommended Posts

Hello, colleagues, 

We recently had several suspicious detections on ESET Endpoint antivirus.

From what I see in logs It seems that webserver is already compromised and trying to access or elevate access from webserver (10.15.144.21 random port 50000+) to k8s (10.12.80.100 on port 80).

We conducted full scan with ESET - no detections. Analyzed network connections and processes for suspicious activity didn't find anything.

Could this be a false positive? or is it just a blocked outside attack that is somehow appears as an elevation attempt from inside?

Attaching the detections

image.png

image.png

 

Link to comment
Share on other sites

Based on what I am seeing, Meterpreter: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ stager is installed on the server. Whereas Meterpreter is a legit penetration test tool, it is often used by malware creators for nefarious purposes. 

If Meterpreter stager process has not been intentionally installed on the server, it needs to be removed.

Edited by itman
Link to comment
Share on other sites

This also might be informative:

Quote

Once attackers gain access to a server, one of their first steps is to understand the privilege and the environment they have access to by using built-in reconnaissance commands that are not typically used by web applications. IIS instance (w3wp.exe) running commands like ‘net’, ‘whoami’, ‘dir’, ‘cmd.exe’, or ‘query’, to name a few, is typically a strong early indicator of web shell activity.

IIS servers have built-in management tools used by administrators to perform various maintenance tasks. These platforms surface various PowerShell cmdlets that can expose critical information to the attackers. IIS instances (w3wp.exe) that host various web-facing client services such as Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP) accessing the management platform or executing below cmdlets is a suspicious activity and signifies a hands-on-keyboard attack.

https://argonsys.com/microsoft-cloud/library/web-shell-attacks-continue-to-rise/

One possible scenario is w3wp.exe is running cmd.exe to connect to attackers C&C server which in turn downloads the Meterpreter stager process. 

Edited by itman
Link to comment
Share on other sites

Another point to note is Metasploit and Meterpreter work "hand in hand" to compromise a targeted device. The primary criteria is that a vulnerability exists.

Once the attacker has identified the vulnerability exists, he deploys Metasploit on his attack server and selects the appropriate vulnerability. Metasploit then sets up and deploys the appropriate attack vector for Meterpreter to exploit the vulnerability.

Bottom line - the first thing that needs to be done is to ensure your web server is fully patched with the latest Win updates.

Link to comment
Share on other sites

@itman Thanks a lot for the responses! @Marcos Is there a place where we can lookup how exactly ESET detects this indicator Win32/RiskWare.Meterpreter.Q ? Which patterns or signatures does ESET look in traffic?

From what we checked we see no anomalies or suspicious activities on the VM, we also conducted a full scan with ESET. It seems like a false positive, however we cannot pinpoint it. 

Our app could in some case send requests like these, however, they surely do not include Meterpreter, shell, etc.

 

Link to comment
Share on other sites

8 hours ago, sklevtsov said:

we also conducted a full scan with ESET.

This won't detect anything since Meterpreter resides entirely in memory.

Here's a good forensic analysis of a MetaSploit attack: https://spaceraccoon.dev/imposter-alert-extracting-and-reversing-metasploit-payloads-flare-on-2020/ . Again note the vulerability/exploit references.

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...