Meterpreter/Metasploit detection

[Louis Bernardo]

Hi All,

I am busy testing the solution for efficacy in detecting targeted attacks with Metasploit and Meterpreter payloads. It seems my default windows agent doesn't do port listening checking but the linux manager agent does (and other linux agents I have deployed). 

Any advice for avenues of detection for attacks such as these? I was considering sysmon at one point but it generates way too much noise to even spot the malicious traffic.

Cheers,

Louis

[rafael...@wazuh.com]

Hi Louis,

you can output the ports that a Windows agent has opened by adding this to the agents ossec.conf file:

  <localfile>
    <log_format>full_command</log_format>
    <command>netstat -a</command>
  </localfile>

On the manager ossec.conf activate the <logall> option. This feature will write to the /var/ossec/logs/archives/archives.log file all the data received.

Restart the manager and the agent.

Best regards.

[Louis Bernardo]

Thanks Rafael,

Will start with this. Will post back if I find a method to detecting meterpreter consistently. 

L