SYMBOLCOMMON_NAMEaka. SYNONYMS
win.meterpreter (Back to overview)

Meterpreter

There is no description at this point.

References
2022-10-03Check PointMarc Salinas Fernandez
@online{fernandez:20221003:bumblebee:25732bf, author = {Marc Salinas Fernandez}, title = {{Bumblebee: increasing its capacity and evolving its TTPs}}, date = {2022-10-03}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/bumblebee-increasing-its-capacity-and-evolving-its-ttps/}, language = {English}, urldate = {2022-10-07} } Bumblebee: increasing its capacity and evolving its TTPs
BumbleBee Cobalt Strike Meterpreter Sliver Vidar
2022-09-26The DFIR ReportThe DFIR Report
@online{report:20220926:bumblebee:bce1e92, author = {The DFIR Report}, title = {{BumbleBee: Round Two}}, date = {2022-09-26}, organization = {The DFIR Report}, url = {https://thedfirreport.com/2022/09/26/bumblebee-round-two/}, language = {English}, urldate = {2022-10-04} } BumbleBee: Round Two
BumbleBee Cobalt Strike Meterpreter
2022-09-14CybereasonDerrick Masters, Loïc Castel
@online{masters:20220914:threat:5694e61, author = {Derrick Masters and Loïc Castel}, title = {{THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for Evasion and Persistence}}, date = {2022-09-14}, organization = {Cybereason}, url = {https://www.cybereason.com/blog/threat-analysis-report-abusing-notepad-plugins-for-evasion-and-persistence}, language = {English}, urldate = {2022-09-19} } THREAT ANALYSIS REPORT: Abusing Notepad++ Plugins for Evasion and Persistence
Meterpreter
2022-09-06Check PointCheck Point Research
@online{research:20220906:dangeroussavanna:5bec8b7, author = {Check Point Research}, title = {{DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa}}, date = {2022-09-06}, organization = {Check Point}, url = {https://research.checkpoint.com/2022/dangeroussavanna-two-year-long-campaign-targets-financial-institutions-in-french-speaking-africa/}, language = {English}, urldate = {2022-09-07} } DangerousSavanna: Two-year long campaign targets financial institutions in French-speaking Africa
AsyncRAT Meterpreter PoshC2 DangerousSavanna
2022-08-30ProofpointMichael Raggi, Sveva Vittoria Scenarelli, PWC UK
@online{raggi:20220830:rising:650b12e, author = {Michael Raggi and Sveva Vittoria Scenarelli and PWC UK}, title = {{Rising Tide: Chasing the Currents of Espionage in the South China Sea}}, date = {2022-08-30}, organization = {Proofpoint}, url = {https://www.proofpoint.com/us/blog/threat-insight/chasing-currents-espionage-south-china-sea}, language = {English}, urldate = {2022-08-31} } Rising Tide: Chasing the Currents of Espionage in the South China Sea
scanbox Meterpreter APT40
2022-08-18SophosSean Gallagher
@online{gallagher:20220818:cookie:74bd0f5, author = {Sean Gallagher}, title = {{Cookie stealing: the new perimeter bypass}}, date = {2022-08-18}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2022/08/18/cookie-stealing-the-new-perimeter-bypass}, language = {English}, urldate = {2022-08-22} } Cookie stealing: the new perimeter bypass
Cobalt Strike Meterpreter MimiKatz Phoenix Keylogger Quasar RAT
2022-07-18Palo Alto Networks Unit 42Unit 42
@online{42:20220718:obscure:28a0051, author = {Unit 42}, title = {{Obscure Serpens}}, date = {2022-07-18}, organization = {Palo Alto Networks Unit 42}, url = {https://unit42.paloaltonetworks.com/atoms/obscureserpens/}, language = {English}, urldate = {2022-07-29} } Obscure Serpens
Cobalt Strike Empire Downloader Meterpreter MimiKatz DarkHydrus
2022-07-07IBMOle Villadsen, Charlotte Hammond, Kat Weinberger
@online{villadsen:20220707:unprecedented:d0a6add, author = {Ole Villadsen and Charlotte Hammond and Kat Weinberger}, title = {{Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine}}, date = {2022-07-07}, organization = {IBM}, url = {https://securityintelligence.com/posts/trickbot-group-systematically-attacking-ukraine}, language = {English}, urldate = {2022-07-12} } Unprecedented Shift: The Trickbot Group is Systematically Attacking Ukraine
AnchorMail BumbleBee Cobalt Strike IcedID Meterpreter
2022-06-01ElasticDaniel Stepanic, Derek Ditch, Seth Goodwin, Salim Bitam, Andrew Pease
@online{stepanic:20220601:cuba:333f7c1, author = {Daniel Stepanic and Derek Ditch and Seth Goodwin and Salim Bitam and Andrew Pease}, title = {{CUBA Ransomware Campaign Analysis}}, date = {2022-06-01}, organization = {Elastic}, url = {https://www.elastic.co/security-labs/cuba-ransomware-campaign-analysis}, language = {English}, urldate = {2022-06-09} } CUBA Ransomware Campaign Analysis
Cobalt Strike Cuba Meterpreter MimiKatz SystemBC
2022-05-05Cisco TalosJung soo An, Asheer Malhotra, Justin Thattil, Aliza Berk, Kendall McKay
@online{an:20220505:mustang:cbc06e9, author = {Jung soo An and Asheer Malhotra and Justin Thattil and Aliza Berk and Kendall McKay}, title = {{Mustang Panda deploys a new wave of malware targeting Europe}}, date = {2022-05-05}, organization = {Cisco Talos}, url = {https://blog.talosintelligence.com/2022/05/mustang-panda-targets-europe.html}, language = {English}, urldate = {2022-05-05} } Mustang Panda deploys a new wave of malware targeting Europe
Cobalt Strike Meterpreter PlugX
2022-04-26Trend MicroRyan Flores, Stephen Hilt, Lord Alfred Remorin
@online{flores:20220426:how:28d9476, author = {Ryan Flores and Stephen Hilt and Lord Alfred Remorin}, title = {{How Cybercriminals Abuse Cloud Tunneling Services}}, date = {2022-04-26}, organization = {Trend Micro}, url = {https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/how-cybercriminals-abuse-cloud-tunneling-services}, language = {English}, urldate = {2022-05-03} } How Cybercriminals Abuse Cloud Tunneling Services
AsyncRAT Cobalt Strike DarkComet Meterpreter Nanocore RAT
2022-01-25CynetOrion Threat Research and Intelligence Team
@online{team:20220125:threats:5269cbc, author = {Orion Threat Research and Intelligence Team}, title = {{Threats Looming Over the Horizon}}, date = {2022-01-25}, organization = {Cynet}, url = {https://www.cynet.com/attack-techniques-hands-on/threats-looming-over-the-horizon/}, language = {English}, urldate = {2022-01-28} } Threats Looming Over the Horizon
Cobalt Strike Meterpreter NightSky
2021-12-20Bleeping ComputerLawrence Abrams
@online{abrams:20211220:log4j:1a80230, author = {Lawrence Abrams}, title = {{Log4j vulnerability now used to install Dridex banking malware}}, date = {2021-12-20}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/log4j-vulnerability-now-used-to-install-dridex-banking-malware/}, language = {English}, urldate = {2021-12-21} } Log4j vulnerability now used to install Dridex banking malware
DoppelDridex Meterpreter
2021-09-16LumenBlack Lotus Labs
@online{labs:20210916:no:7a40fbb, author = {Black Lotus Labs}, title = {{No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders}}, date = {2021-09-16}, organization = {Lumen}, url = {https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/}, language = {English}, urldate = {2022-01-25} } No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders
PrivetSanya Meterpreter
2021-09-07Counter CraftCounter Craft
@online{craft:20210907:shellcode:dc30cfa, author = {Counter Craft}, title = {{Shellcode Detection Using Real-Time Kernel Monitoring}}, date = {2021-09-07}, organization = {Counter Craft}, url = {https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/}, language = {English}, urldate = {2021-09-14} } Shellcode Detection Using Real-Time Kernel Monitoring
Meterpreter
2021-09-02AhnLabASEC Analysis Team
@online{team:20210902:attacks:39695ea, author = {ASEC Analysis Team}, title = {{Attacks using metasploit meterpreter}}, date = {2021-09-02}, organization = {AhnLab}, url = {https://asec.ahnlab.com/ko/26705/}, language = {Korean}, urldate = {2022-04-15} } Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-02SophosSean Gallagher
@online{gallagher:20210602:amsi:084d0ba, author = {Sean Gallagher}, title = {{AMSI bypasses remain tricks of the malware trade}}, date = {2021-06-02}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/}, language = {English}, urldate = {2021-06-09} } AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-03-25Recorded FutureInsikt Group®
@online{group:20210325:suspected:5b0078f, author = {Insikt Group®}, title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}}, date = {2021-03-25}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/}, language = {English}, urldate = {2021-03-30} } Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c0ba914, author = {SecureWorks}, title = {{Threat Profile: GOLD FRANKLIN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-franklin}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6
2021SecureworksSecureWorks
@online{secureworks:2021:threat:bce1d06, author = {SecureWorks}, title = {{Threat Profile: GOLD WINTER}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-winter}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER
2020-11-17cybleCyble
@online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-10-27US-CERTUS-CERT
@online{uscert:20201027:alert:cd5c1eb, author = {US-CERT}, title = {{Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky}}, date = {2020-10-27}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-301a}, language = {English}, urldate = {2020-10-29} } Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark Meterpreter Kimsuky
2020-10-11Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-01WiredAndy Greenberg
@online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-09-24US-CERTUS-CERT
@online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2018-10Group-IBGroup-IB
@online{groupib:201810:hitech:420711f, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2018}}, date = {2018-10}, organization = {Group-IB}, url = {https://explore.group-ib.com/htct/hi-tech_crime_2018}, language = {English}, urldate = {2022-04-25} } Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter
2017-12-11Group-IBGroup-IB
@techreport{groupib:20171211:moneytaker:49776be, author = {Group-IB}, title = {{MoneyTaker 1.5 YEARS OF SILENT OPERATIONS}}, date = {2017-12-11}, institution = {Group-IB}, url = {https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf}, language = {English}, urldate = {2021-02-09} } MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter
2017-06-09MorphisecMichael Gorelik
@online{gorelik:20170609:fin7:3be08a2, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2020-09-04} } FIN7 Takes Another Bite at the Restaurant Industry
Meterpreter FIN7
2011-07-10Michael Schierl
@online{schierl:20110710:facts:fb33368, author = {Michael Schierl}, title = {{Facts and myths about antivirus evasion with Metasploit}}, date = {2011-07-10}, url = {http://schierlm.users.sourceforge.net/avevasion.html}, language = {English}, urldate = {2020-08-24} } Facts and myths about antivirus evasion with Metasploit
Meterpreter
Yara Rules
[TLP:WHITE] win_meterpreter_auto (20221125 | Detects win.meterpreter.)
rule win_meterpreter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2022-11-21"
        version = "1"
        description = "Detects win.meterpreter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter"
        malpedia_rule_date = "20221118"
        malpedia_hash = "e0702e2e6d1d00da65c8a29a4ebacd0a4c59e1af"
        malpedia_version = "20221125"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { e22b e5f6 4f 1c8b }
            // n = 4, score = 200
            //   e22b                 | loop                0x2d
            //   e5f6                 | in                  eax, 0xf6
            //   4f                   | dec                 edi
            //   1c8b                 | sbb                 al, 0x8b

        $sequence_1 = { 90 90 90 55 e4ec 53 8b22 }
            // n = 7, score = 200
            //   90                   | nop                 
            //   90                   | nop                 
            //   90                   | nop                 
            //   55                   | push                ebp
            //   e4ec                 | in                  al, 0xec
            //   53                   | push                ebx
            //   8b22                 | mov                 esp, dword ptr [edx]

        $sequence_2 = { 50 686cd4408e ffd6 8b0d???????? 83c18a }
            // n = 5, score = 200
            //   50                   | push                eax
            //   686cd4408e           | push                0x8e40d46c
            //   ffd6                 | call                esi
            //   8b0d????????         |                     
            //   83c18a               | add                 ecx, -0x76

        $sequence_3 = { 008b35a8c19f 006860 2f 0000 52 ffd6 }
            // n = 6, score = 200
            //   008b35a8c19f         | add                 byte ptr [ebx - 0x603e57cb], cl
            //   006860               | add                 byte ptr [eax + 0x60], ch
            //   2f                   | das                 
            //   0000                 | add                 byte ptr [eax], al
            //   52                   | push                edx
            //   ffd6                 | call                esi

        $sequence_4 = { 8b87047945f4 6a01 50 52 c745fc00000000 ff08 98 }
            // n = 7, score = 200
            //   8b87047945f4         | mov                 eax, dword ptr [edi - 0xbba86fc]
            //   6a01                 | push                1
            //   50                   | push                eax
            //   52                   | push                edx
            //   c745fc00000000       | mov                 dword ptr [ebp - 4], 0
            //   ff08                 | dec                 dword ptr [eax]
            //   98                   | cwde                

        $sequence_5 = { 57 40 388bf083c4cf 86f6 }
            // n = 4, score = 200
            //   57                   | push                edi
            //   40                   | inc                 eax
            //   388bf083c4cf         | cmp                 byte ptr [ebx - 0x303b7c10], cl
            //   86f6                 | xchg                dh, dh

        $sequence_6 = { 8932 8b700c 83c204 4e 3bce 74ef ff9a0c8b5c03 }
            // n = 7, score = 200
            //   8932                 | mov                 dword ptr [edx], esi
            //   8b700c               | mov                 esi, dword ptr [eax + 0xc]
            //   83c204               | add                 edx, 4
            //   4e                   | dec                 esi
            //   3bce                 | cmp                 ecx, esi
            //   74ef                 | je                  0xfffffff1
            //   ff9a0c8b5c03         | lcall               [edx + 0x35c8b0c]

        $sequence_7 = { 043b 8801 41 0fc2049088 0135???????? 4f 75b5 }
            // n = 7, score = 200
            //   043b                 | add                 al, 0x3b
            //   8801                 | mov                 byte ptr [ecx], al
            //   41                   | inc                 ecx
            //   0fc2049088           | cmpps               xmm0, xmmword ptr [eax + edx*4], 0x88
            //   0135????????         |                     
            //   4f                   | dec                 edi
            //   75b5                 | jne                 0xffffffb7

        $sequence_8 = { 6c 50 048b 55 1491 48 }
            // n = 6, score = 200
            //   6c                   | insb                byte ptr es:[edi], dx
            //   50                   | push                eax
            //   048b                 | add                 al, 0x8b
            //   55                   | push                ebp
            //   1491                 | adc                 al, 0x91
            //   48                   | dec                 eax

        $sequence_9 = { 76e1 8bf0 85f6 750e }
            // n = 4, score = 200
            //   76e1                 | jbe                 0xffffffe3
            //   8bf0                 | mov                 esi, eax
            //   85f6                 | test                esi, esi
            //   750e                 | jne                 0x10

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules