SYMBOLCOMMON_NAMEaka. SYNONYMS
win.meterpreter (Back to overview)

Meterpreter

There is no description at this point.

References
2021-09-16Black Lotus LabsBlack Lotus Labs
@online{labs:20210916:no:7a40fbb, author = {Black Lotus Labs}, title = {{No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders}}, date = {2021-09-16}, organization = {Black Lotus Labs}, url = {https://blog.lumen.com/no-longer-just-theory-black-lotus-labs-uncovers-linux-executables-deployed-as-stealth-windows-loaders/}, language = {English}, urldate = {2021-09-19} } No Longer Just Theory: Black Lotus Labs Uncovers Linux Executables Deployed as Stealth Windows Loaders
PrivetSanya Meterpreter
2021-09-07Counter CraftCounter Craft
@online{craft:20210907:shellcode:dc30cfa, author = {Counter Craft}, title = {{Shellcode Detection Using Real-Time Kernel Monitoring}}, date = {2021-09-07}, organization = {Counter Craft}, url = {https://www.countercraftsec.com/blog/post/shellcode-detection-using-realtime-kernel-monitoring/}, language = {English}, urldate = {2021-09-14} } Shellcode Detection Using Real-Time Kernel Monitoring
Meterpreter
2021-09-02ASECAhnLab ASEC Analysis Team
@online{team:20210902:attacks:39695ea, author = {AhnLab ASEC Analysis Team}, title = {{Attacks using metasploit meterpreter}}, date = {2021-09-02}, organization = {ASEC}, url = {https://asec.ahnlab.com/ko/26705/}, language = {Korean}, urldate = {2021-09-09} } Attacks using metasploit meterpreter
Appleseed Meterpreter
2021-06-02SophosSean Gallagher
@online{gallagher:20210602:amsi:084d0ba, author = {Sean Gallagher}, title = {{AMSI bypasses remain tricks of the malware trade}}, date = {2021-06-02}, organization = {Sophos}, url = {https://news.sophos.com/en-us/2021/06/02/amsi-bypasses-remain-tricks-of-the-malware-trade/}, language = {English}, urldate = {2021-06-09} } AMSI bypasses remain tricks of the malware trade
Agent Tesla Cobalt Strike Meterpreter
2021-03-25Recorded FutureInsikt Group®
@online{group:20210325:suspected:5b0078f, author = {Insikt Group®}, title = {{Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers}}, date = {2021-03-25}, organization = {Recorded Future}, url = {https://www.recordedfuture.com/chinese-group-calypso-exploiting-microsoft-exchange/}, language = {English}, urldate = {2021-03-30} } Suspected Chinese Group Calypso APT Exploiting Vulnerable Microsoft Exchange Servers
Meterpreter PlugX
2021-01-07Recorded FutureInsikt Group®
@techreport{group:20210107:aversary:9771829, author = {Insikt Group®}, title = {{Aversary Infrastructure Report 2020: A Defender's View}}, date = {2021-01-07}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0107.pdf}, language = {English}, urldate = {2021-01-11} } Aversary Infrastructure Report 2020: A Defender's View
Octopus pupy Cobalt Strike Empire Downloader Meterpreter PoshC2
2021-01-06Red CanaryTony Lambert
@online{lambert:20210106:hunting:272410b, author = {Tony Lambert}, title = {{Hunting for GetSystem in offensive security tools}}, date = {2021-01-06}, organization = {Red Canary}, url = {https://redcanary.com/blog/getsystem-offsec/}, language = {English}, urldate = {2021-01-11} } Hunting for GetSystem in offensive security tools
Cobalt Strike Empire Downloader Meterpreter PoshC2
2021SecureworksSecureWorks
@online{secureworks:2021:threat:bce1d06, author = {SecureWorks}, title = {{Threat Profile: GOLD WINTER}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-winter}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD WINTER
Cobalt Strike Hades Meterpreter GOLD WINTER
2021SecureworksSecureWorks
@online{secureworks:2021:threat:c0ba914, author = {SecureWorks}, title = {{Threat Profile: GOLD FRANKLIN}}, date = {2021}, organization = {Secureworks}, url = {http://www.secureworks.com/research/threat-profiles/gold-franklin}, language = {English}, urldate = {2021-05-31} } Threat Profile: GOLD FRANKLIN
Grateful POS Meterpreter MimiKatz RemCom FIN6
2020-11-17cybleCyble
@online{cyble:20201117:oceanlotus:d33eb97, author = {Cyble}, title = {{OceanLotus Continues With Its Cyber Espionage Operations}}, date = {2020-11-17}, organization = {cyble}, url = {https://cybleinc.com/2020/11/17/oceanlotus-continues-with-its-cyber-espionage-operations/}, language = {English}, urldate = {2020-11-18} } OceanLotus Continues With Its Cyber Espionage Operations
Cobalt Strike Meterpreter
2020-10-27US-CERTUS-CERT
@online{uscert:20201027:alert:cd5c1eb, author = {US-CERT}, title = {{Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky}}, date = {2020-10-27}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/alerts/aa20-301a}, language = {English}, urldate = {2020-10-29} } Alert (AA20-301A): North Korean Advanced Persistent Threat Focus: Kimsuky
BabyShark Meterpreter Kimsuky
2020-10-11Github (StrangerealIntel)StrangerealIntel
@online{strangerealintel:20201011:chimera:a423a07, author = {StrangerealIntel}, title = {{Chimera, APT19 under the radar ?}}, date = {2020-10-11}, organization = {Github (StrangerealIntel)}, url = {https://github.com/StrangerealIntel/CyberThreatIntel/blob/master/China/APT/Chimera/Analysis.md}, language = {English}, urldate = {2020-10-15} } Chimera, APT19 under the radar ?
Cobalt Strike Meterpreter
2020-10-01WiredAndy Greenberg
@online{greenberg:20201001:russias:3440982, author = {Andy Greenberg}, title = {{Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency}}, date = {2020-10-01}, organization = {Wired}, url = {https://www.wired.com/story/russias-fancy-bear-hack-us-federal-agency/}, language = {English}, urldate = {2020-10-05} } Russia’s Fancy Bear Hackers Likely Penetrated a US Federal Agency
Cobalt Strike Meterpreter
2020-09-24US-CERTUS-CERT
@online{uscert:20200924:analysis:e1e4cc0, author = {US-CERT}, title = {{Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor}}, date = {2020-09-24}, organization = {US-CERT}, url = {https://us-cert.cisa.gov/ncas/analysis-reports/ar20-268a}, language = {English}, urldate = {2020-10-13} } Analysis Report (AR20-268A): Federal Agency Compromised by Malicious Cyber Actor
Cobalt Strike Meterpreter
2018-10Group-IBGroup-IB
@techreport{groupib:201810:hitech:420711f, author = {Group-IB}, title = {{Hi-Tech Crime Trends 2018}}, date = {2018-10}, institution = {Group-IB}, url = {https://www.fintechsecurity.com.hk/slides/01.Dmitry-Annual-Group-IB-report-High-Tech-Crime-Trends.pdf}, language = {English}, urldate = {2021-02-09} } Hi-Tech Crime Trends 2018
BackSwap Cobalt Strike Cutlet Meterpreter
2017-12-11Group-IBGroup-IB
@techreport{groupib:20171211:moneytaker:49776be, author = {Group-IB}, title = {{MoneyTaker 1.5 YEARS OF SILENT OPERATIONS}}, date = {2017-12-11}, institution = {Group-IB}, url = {https://vx-underground.org/archive/APTs/2017/2017.12.11/Money%20Taker.pdf}, language = {English}, urldate = {2021-02-09} } MoneyTaker 1.5 YEARS OF SILENT OPERATIONS
Citadel Kronos Meterpreter
2017-06-09MorphisecMichael Gorelik
@online{gorelik:20170609:fin7:3be08a2, author = {Michael Gorelik}, title = {{FIN7 Takes Another Bite at the Restaurant Industry}}, date = {2017-06-09}, organization = {Morphisec}, url = {https://blog.morphisec.com/fin7-attacks-restaurant-industry}, language = {English}, urldate = {2020-09-04} } FIN7 Takes Another Bite at the Restaurant Industry
Meterpreter FIN7
2011-07-10Michael Schierl
@online{schierl:20110710:facts:fb33368, author = {Michael Schierl}, title = {{Facts and myths about antivirus evasion with Metasploit}}, date = {2011-07-10}, url = {http://schierlm.users.sourceforge.net/avevasion.html}, language = {English}, urldate = {2020-08-24} } Facts and myths about antivirus evasion with Metasploit
Meterpreter
Yara Rules
[TLP:WHITE] win_meterpreter_auto (20210616 | Detects win.meterpreter.)
rule win_meterpreter_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2021-06-10"
        version = "1"
        description = "Detects win.meterpreter."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.meterpreter"
        malpedia_rule_date = "20210604"
        malpedia_hash = "be09d5d71e77373c0f538068be31a2ad4c69cfbd"
        malpedia_version = "20210616"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { fc 8921 34ff 10f9 fd f1 50 }
            // n = 7, score = 200
            //   fc                   | cld                 
            //   8921                 | mov                 dword ptr [ecx], esp
            //   34ff                 | xor                 al, 0xff
            //   10f9                 | adc                 cl, bh
            //   fd                   | std                 
            //   f1                   | int1                
            //   50                   | push                eax

        $sequence_1 = { 8a0c19 8808 8bcf d3ea }
            // n = 4, score = 200
            //   8a0c19               | mov                 cl, byte ptr [ecx + ebx]
            //   8808                 | mov                 byte ptr [eax], cl
            //   8bcf                 | mov                 ecx, edi
            //   d3ea                 | shr                 edx, cl

        $sequence_2 = { 8bf7 b94c000061 f3ab 8b4573 }
            // n = 4, score = 200
            //   8bf7                 | mov                 esi, edi
            //   b94c000061           | mov                 ecx, 0x6100004c
            //   f3ab                 | rep stosd           dword ptr es:[edi], eax
            //   8b4573               | mov                 eax, dword ptr [ebp + 0x73]

        $sequence_3 = { 8d2b 10a48a46045170 f5 50 94 15b9c040c8 85c0 }
            // n = 7, score = 200
            //   8d2b                 | lea                 ebp, dword ptr [ebx]
            //   10a48a46045170       | adc                 byte ptr [edx + ecx*4 + 0x70510446], ah
            //   f5                   | cmc                 
            //   50                   | push                eax
            //   94                   | xchg                eax, esp
            //   15b9c040c8           | adc                 eax, 0xc840c0b9
            //   85c0                 | test                eax, eax

        $sequence_4 = { 008af3d283d6 0883c3398b4d fc 835514eb 897d08 }
            // n = 5, score = 200
            //   008af3d283d6         | add                 byte ptr [edx - 0x297c2d0d], cl
            //   0883c3398b4d         | or                  byte ptr [ebx + 0x4d8b39c3], al
            //   fc                   | cld                 
            //   835514eb             | adc                 dword ptr [ebp + 0x14], -0x15
            //   897d08               | mov                 dword ptr [ebp + 8], edi

        $sequence_5 = { 880e 8b4d10 e8???????? 8b33 0be2 75e8 dd4518 }
            // n = 7, score = 200
            //   880e                 | mov                 byte ptr [esi], cl
            //   8b4d10               | mov                 ecx, dword ptr [ebp + 0x10]
            //   e8????????           |                     
            //   8b33                 | mov                 esi, dword ptr [ebx]
            //   0be2                 | or                  esp, edx
            //   75e8                 | jne                 0xffffffea
            //   dd4518               | fld                 qword ptr [ebp + 0x18]

        $sequence_6 = { ffa42404e8cbff 16 e5f7 1f 47 c059f7d8 }
            // n = 6, score = 200
            //   ffa42404e8cbff       | jmp                 dword ptr [esp - 0x3417fc]
            //   16                   | push                ss
            //   e5f7                 | in                  eax, 0xf7
            //   1f                   | pop                 ds
            //   47                   | inc                 edi
            //   c059f7d8             | rcr                 byte ptr [ecx - 9], 0xd8

        $sequence_7 = { 005e8b e5ec 1f 8be3 dc02 41 }
            // n = 6, score = 200
            //   005e8b               | add                 byte ptr [esi - 0x75], bl
            //   e5ec                 | in                  eax, 0xec
            //   1f                   | pop                 ds
            //   8be3                 | mov                 esp, ebx
            //   dc02                 | fadd                qword ptr [edx]
            //   41                   | inc                 ecx

        $sequence_8 = { a1???????? 83d1bd 2bf8 03d8 }
            // n = 4, score = 200
            //   a1????????           |                     
            //   83d1bd               | adc                 ecx, -0x43
            //   2bf8                 | sub                 edi, eax
            //   03d8                 | add                 ebx, eax

        $sequence_9 = { 8ba91085c97c 16 b704 e0c0 7610 }
            // n = 5, score = 200
            //   8ba91085c97c         | mov                 ebp, dword ptr [ecx + 0x7cc98510]
            //   16                   | push                ss
            //   b704                 | mov                 bh, 4
            //   e0c0                 | loopne              0xffffffc2
            //   7610                 | jbe                 0x12

    condition:
        7 of them and filesize < 188416
}
Download all Yara Rules