Hunting Metasploit

Metasploit is a commonly used exploit framework for penetration testing and red team operations
Look for suspicious ports such as 4444 and 5555 which is used by Metasploit by default
This method of hunting can be applied to other various RATs and C2 beacons

Hunting Network Connections

# Snippet uses event ID 3 along with the destination port to identify connections on port 4444 and 5555
<RuleGroup name="" groupRelation="or">  
	<NetworkConnect onmatch="include">  
		<DestinationPort condition="is">4444</DestinationPort>  
		<DestinationPort condition="is">5555</DestinationPort>  
	</NetworkConnect>  
</RuleGroup>

Hunting for Open Ports with PowerShell

Use Get-WinEvent along with XPath queries, filtering out events with NetworkConnect and DestinationPort

Get-WinEvent -Path C:\Users\THM-Analyst\Desktop\Scenarios\Practice\Hunting_Metasploit.evtx -FilterXPath '*/System/EventID=3 and */EventData/Data[@Name="DestinationPort"] and */EventData/Data=4444'

More Information

https://attack.mitre.org/software/
Malware Common Ports Spreadsheet

PreviousHunting Malware NextHunting Persistence

Last updated 11 months ago