7 Replies Latest reply on Aug 31, 2015 12:14 PM by tomz2

    Penetration test with metasploit

    david.paulus

      Our security team is doing penetration tests with basic metasploit payloads known by all AV softwares.

      Our VSE doesn't block it . Is it possible that I miss a configuration?

       

      Software :

      agent = 4.8.0.1938

      engine = 5700.7163

      VSE = 8.8.0.1247

        • 1. Re: Penetration test with metasploit
          alhaawi

          may be metasploit directory was excluded,  or on access scan has been disabled!

          • 2. Re: Penetration test with metasploit
            david.paulus

            No directory was excluded and on access scan was enabled.
            I was able to block the attack with activating the access protection policie -> Common Maximum Protection:Prevent programs registering as a service
            Threat Source Process Name : C:\Windows\system32\services.exe
            Threat Target File Path : \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\LWbPgbhS
            But with this rule I have a lot of false possitives.

            Can you tell me which parameter has to be enabled on On-access scan or which policie I have to use?

            • 3. Re: Penetration test with metasploit
              tomz2

              Hi David,

               

              Your better bet would be look at using the Host Intrusion Prevention System (HIPS) product. It provides host and network IPS functionality for the endpoint and contains a vast library of signatures that are constantly being updated. Given that the standard use for metasploit is to launch remote attacks against a system, HIPS will monitor the network traffic against the policy that you have applied and take the defined action based on your policy.

               

              -Tom

              • 4. Re: Penetration test with metasploit
                mcafeenewb

                An antivirus will not protect against an exploit; however you stated the payload is 'known by all AV vendors', that is the disturbing part.  If the payload hits the disk, it should get captured.

                 

                lets test this first; copy the payload manually to the endpoint to see if it gets detected.  From there, lets take a look at your low-risk process policy, you may have a low-risk process that matches action being performed (java.exe etc)

                • 5. Re: Penetration test with metasploit

                  x2 on this - AV mostly describes detecting an existing known bad thing. Vulnerability mitigation is something completely different (and as Tomz2 said, covered with HIPS).

                   

                  Most endpoint security solutions offer a combination of technologies which you can pick and choose between - I agree this could be simpler but it's a legacy problem solved by using the recommended suite, not just picking one technology.

                   

                  Yes, this is a bit odd when the customer ask is "protect me from cyberthreats", but that's the way this industry has grown up - new solutions like ENS10 take a step in the right direction to solve it though through simplification.

                  • 6. Re: Penetration test with metasploit
                    david.paulus

                    mcafeenewb,

                    The payload gets detected when I copy it manually to the endpoint.

                    I have no special low-risk process policy, it's the mcafee default.

                    • 7. Re: Penetration test with metasploit
                      tomz2

                      Hi David -

                       

                      You're likely looking at two different scenarios here.

                       

                      1) Metasploit payload file copied to an endpoint manually and being written to disk. VSE, if known (heuristics/DAT), will take action on the file as defined in your policy. In this case, the metasploit file is known to Intel Security, whether by heuristics or DAT and is being detected.

                      2) Your team that is using Metasploit to launch a remote "attack" is doing so over the network. VSE likely won't capture the payload in this scenario unless a part of the metasploit payload is to copy a file such as a malware dropper or something that might be known. You'd want HIPS in this scenario.

                       

                      As mentioned by myself and SafeBoot, you really should be looking at a layered approach to covering things like a pen test. You want to use HIPS because it is monitoring the network traffic on the host and has signatures for many of the known vulnerabilities that tools like metasploit well...exploit. You want VSE on the systems as well to capture any sort of malware that may be loaded to an endpoint whether by an attacker or by a user of the system.