RiskWare.Meterpreter.Q false positive or potential compromise?

[sklevtsov 0]

Hello, colleagues, 

We recently had several suspicious detections on ESET Endpoint antivirus.

From what I see in logs It seems that webserver is already compromised and trying to access or elevate access from webserver (10.15.144.21 random port 50000+) to k8s (10.12.80.100 on port 80).

We conducted full scan with ESET - no detections. Analyzed network connections and processes for suspicious activity didn't find anything.

Could this be a false positive? or is it just a blocked outside attack that is somehow appears as an elevation attempt from inside?

Attaching the detections

 

[itman 1,538]

Based on what I am seeing, Meterpreter: https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/ stager is installed on the server. Whereas Meterpreter is a legit penetration test tool, it is often used by malware creators for nefarious purposes. 

If Meterpreter stager process has not been intentionally installed on the server, it needs to be removed.

Edited November 18, 2022 by itman

[itman 1,538]

This also might be informative:

Quote

Once attackers gain access to a server, one of their first steps is to understand the privilege and the environment they have access to by using built-in reconnaissance commands that are not typically used by web applications. IIS instance (w3wp.exe) running commands like ‘net’, ‘whoami’, ‘dir’, ‘cmd.exe’, or ‘query’, to name a few, is typically a strong early indicator of web shell activity.

IIS servers have built-in management tools used by administrators to perform various maintenance tasks. These platforms surface various PowerShell cmdlets that can expose critical information to the attackers. IIS instances (w3wp.exe) that host various web-facing client services such as Outlook on the web (formerly known as Outlook Web App or OWA) or Exchange admin center (EAC; formerly known as the Exchange Control Panel or ECP) accessing the management platform or executing below cmdlets is a suspicious activity and signifies a hands-on-keyboard attack.

https://argonsys.com/microsoft-cloud/library/web-shell-attacks-continue-to-rise/

One possible scenario is w3wp.exe is running cmd.exe to connect to attackers C&C server which in turn downloads the Meterpreter stager process. 

Edited November 19, 2022 by itman

[itman 1,538]

Another point to note is Metasploit and Meterpreter work "hand in hand" to compromise a targeted device. The primary criteria is that a vulnerability exists.

Once the attacker has identified the vulnerability exists, he deploys Metasploit on his attack server and selects the appropriate vulnerability. Metasploit then sets up and deploys the appropriate attack vector for Meterpreter to exploit the vulnerability.

Bottom line - the first thing that needs to be done is to ensure your web server is fully patched with the latest Win updates.

[sklevtsov 0]

@itman Thanks a lot for the responses! @Marcos Is there a place where we can lookup how exactly ESET detects this indicator Win32/RiskWare.Meterpreter.Q ? Which patterns or signatures does ESET look in traffic?

From what we checked we see no anomalies or suspicious activities on the VM, we also conducted a full scan with ESET. It seems like a false positive, however we cannot pinpoint it. 

Our app could in some case send requests like these, however, they surely do not include Meterpreter, shell, etc.

 

[itman 1,538]

8 hours ago, sklevtsov said:

we also conducted a full scan with ESET.

This won't detect anything since Meterpreter resides entirely in memory.

Here's a good forensic analysis of a MetaSploit attack: https://spaceraccoon.dev/imposter-alert-extracting-and-reversing-metasploit-payloads-flare-on-2020/ . Again note the vulerability/exploit references.