Researchers will demonstrate forensics tool, technique for unmasking attacks using Metasploit's stealthy Meterpreter anti-forensics function

Researchers will release an open source tool at Black Hat USA that helps forensics investigators reconstruct attacks that use a popular Metasploit payload to covers its tracks.

Mandiant's Steve Davis and Peter Silberman have developed an "anti-" anti-forensics tool, of sorts, tentatively called the Metasploit Forensics Framework, which they'll demonstrate at the security conference later this month. The tool is aimed at unmasking what Metasploit's stealthy Meterpreter (PDF) did on a machine. Meterpreter lets developers write code in DLL files and execute everything in memory -- without writing anything to the victim machine's disk, where it could be detected and, in turn, complicate incident response.

Meterpreter can be used to download and upload files, execute code, and open its own command shell, the researchers say. Their new tool can tell if a Meterpreter packet is still in memory, and, if so, which files Meterpreter has accessed, and whether it has modified a registry key.

Some traditional antivirus tools can't detect Meterpreter-borne attacks because they never hit the disk, the researchers say.

"You wouldn't see the attacks happen if they didn't write anything to disk," says Steve Davis, one of the researchers and a consultant with Mandiant. "We are going to show how we can reconstruct a crime scene in memory."

The Metasploit Forensics Framework is a proof-of-concept tool that scans the processes in memory. "Meterpreter has unique packets...and we can identify those and reconstruct its processes," says Peter Silberman, an engineer on the product team at Mandiant. "We're going to discuss how Meterpreter looks in memory, and how it's able to circumvent traditional tools [for forensics]. We'll demonstrate how with some advanced knowledge, you can reconstruct what commands were sent to Meterpreter and perform an autopsy on an attack."

Memory analysis in forensics has only begun to catch on tool-wise in the past year or so, the researchers say. Their tool helps investigators pull useful information from memory to help in their forensics work, they say. "This is just a small research project in how freed memory can still pull out a lot of useful information on the commands [an attacker] used," for example, Silberman says.

The researchers say they fully expect the Metasploit developers to come up with a workaround for their tool in short order once it's released. They plan to make the tool available on Mandiant's Website the day of their Black Hat presentation so attendees can experiment with it during their talk, they say.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights