ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Block block transactions with certain payloads with the "Meterpreter" label

book

Article ID: 240748

calendar_today

Updated On:

Products

CAS-S500 CAS-S400

Issue/Introduction

The customer informs us that their end-users shared a number of sandboxing task reports and requested to ensure Symantec CAS is able to block transactions with certain payloads with the "Meterpreter" label. From the task reports shared, we see the below.

Label: Osx_metrpreter_shellWarDocx.docx
Date Added: 2022-04-28 11:52:23 (UTC)
File Type: document:ooxml:docx
File Size: 25921 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_jspJspDoc.doc
Label: Osx_metrpreter_jspJspDoc.doc
Date Added: 2022-04-19 13:35:30 (UTC)
File Type: document:cdf:doc
File Size: 17140 bytes

Pattern Marching Results
5 Drops executable
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Meterpreter_reverese_shellWarOdt.odt
Date Added: 2022-04-28 11:46:40 (UTC)
File Type: unknown:OpenDocument Text
File Size: 17884 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_shellWarXlsx.xlsx
Date Added: 2022-04-19 13:44:20 (UTC)
File Type: document:ooxml:xlsx
File Size: 17332 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_shellWarXls.xls
Date Added: 2022-04-19 13:44:16 (UTC)
File Type: document:cdf:xls
File Size: 33280 bytes

Pattern Marching Results
5 Drops executable
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_shellWarPptx.pptx
Date Added: 2022-04-19 13:43:58 (UTC)
File Type: document:ooxml:pptx
File Size: 62242 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_jspJspOdt.odt
Date Added: 2022-04-19 13:37:00 (UTC)
File Type: unknown:OpenDocument Text
File Size: 18612 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Meterpreter_reverese_shellWarOdt.odt
Date Added: 2022-04-19 13:33:41 (UTC)
File Type: unknown:OpenDocument Text
File Size: 17903 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]

 

Label: Meterpreter_reverese_shellWarDocx.docx
Date Added: 2022-04-19 13:32:14 (UTC)
File Type: document:ooxml:docx
File Size: 25127 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]

 

Label: Osx_metrpreter_jspJspXls.xls
Date Added: 2022-04-05 18:05:43 (UTC)
File Type: document:cdf:xls
File Size: 74240 bytes

Pattern Marching Results
5 Drops executable
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_shellWarPptx.pptx
Date Added: 2022-04-05 18:04:40 (UTC)
File Type: document:ooxml:pptx
File Size: 62242 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_shellWarDocx.docx
Date Added: 2022-04-05 18:00:50 (UTC)
File Type: document:ooxml:docx
File Size: 25929 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_jspJspOdt.odt
Date Added: 2022-04-05 17:59:12 (UTC)
File Type: unknown:OpenDocument Text
File Size: 18623 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_shellWarOdt.odt
Date Added: 2022-04-05 17:52:49 (UTC)
File Type: unknown:OpenDocument Text
File Size: 18704 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Meterpreter_reverese_shellWarOdt.odt
Date Added: 2022-04-04 07:21:47 (UTC)
File Type: unknown:OpenDocument Text
File Size: 17910 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]
5 T1569.002 - Service Execution [MITRE-ATTCK]

 

Label: Osx_metrpreter_jspJspPptx.pptx
Date Added: 2022-04-04 07:20:25 (UTC)
File Type: document:ooxml:pptx
File Size: 61834 bytes

Pattern Marching Results
5 Drops executable
5 Sets system attribute
5 T1053.005 - Scheduled Task (Hidden) [MITRE-ATTCK]
5 T1053.005 - Scheduled Task [MITRE-ATTCK]

 

Label: Meterpreter_reverese_shellWarPpt.ppt
Date Added: 2022-04-04 07:16:26 (UTC)
File Type: document:cdf:ppt
File Size: 98304 bytes

Pattern Marching Results
5 Drops executable

Resolution

Investigating the "Meterpreter" payload, we understand that "Meterpreter" is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more. "Meterpreter" is a Metasploit attack payload that provides an interactive shell to the attacker from which to explore the target machine and execute code. Meterpreter is deployed using in-memory DLL injection. As a result, Meterpreter resides entirely in memory and writes nothing to disk.

From looking into the Sandboxing task report, we see that the "Meterpreter" attack payload received a threat risk score of "5" and from the definition of threat risk levels, the below explains the received threat risk level.

  • Medium (Levels 5-6) - Report color is Yellow
    • ‚ÄčThe URL is unproven; there is not an established history of normal behavior. This level should be evaluated by other layers of defense (such as Content Analysis and Malware Analysis) and considered for more restrictive policy.

Ref, doc.: https://knowledge.broadcom.com/external/article/169805/threat-risk-levels-explained.html

From some of the task reports, we see the below process/thread events which further validated the presence of the 

Having already been evaluated by Content Analysis & Malware Analysis and the verdict received, we strongly recommend considering threat risk level 5 for a more restrictive security policy, to ensure the "Meterpreter" attack payload gets blocked.

Further investigation shows that The product is able to detect these attacks because of the Metasploit Meterpreter Upload Activity 8 & Meterpreter Reverse HTTPS attack signatures built-in. 

Ref. docs.:

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=31636

https://www.broadcom.com/support/security-center/attacksignatures/detail?asid=28589

Resolution

Ensure the integrated ProxySG appliance runs SGOS 7.x.x.x (Preferably SGOS 7.3.7.1 or later) and implement the "Recommended" or "Strong" or "Maximum" protection levels, with the Threat Risk Level entitlement procured. With the Threat Risk Level entitlement, the below would be blocked, amongst others.

  • File types executable, archive, etc.
  • Category “none” and Threat Risk Level 5 and higher

Ref, doc.: https://knowledge.broadcom.com/external/article/174668/what-requests-are-blocked-or-monitored-a.html

For guidance on how you may activate the Access Security Policy, please refer to the Tech. doc. with the URL below.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/proxysg/7-3/securityBP/Use-Security-Policy.html

Additionally, if the identified malicious pattern(s) is/are not currently in the pattern database, you can create a customized pattern group. We recommend creating patterns that can be used to identify the "Meterpreter" attack payload and define a requisite threat risk score, to ensure it gets blocked, on identification.

Note: A pattern is a sequence of IP addresses, domain names, file headers, or strings that can be used to identify potential malicious or otherwise interesting activity.

For detailed guidance on how you may add a pattern, please refer to the Tech. doc. with the URL below. For more details, please refer to pages 82 - 84 in the Guide to Performing Malware Analysis in Content Analysis attached.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/content-analysis/3-1/solution_malware_analysis/about_patterns/ma_analysis_center_patterns.html

Attachments

Malware_Analysis_Guide_v24_1651507476650.pdf get_app