I created a couple of new vSploit modules to allow organizations to test their abilities for APT-type activity detection. There are already a few vSploit modules in the Metasploit trunk and you should see several more modules added next year. I will keep coding vSploit modules in my spare time to fill critical needs when I see them. I have created a new DNS beaconing module and filestream module and posted them to my GitHub account (links below).

DNS_Red

There have been two really good sources of information recently on malicious domain names. If you didn't get a chance to check the following two links out, they are must reads:

http://www.secureworks.com/research/threats/htran/

http://pastebin.com/yKSQd5Z5

I grabbed all of the domains, sorted, and eliminated duplicates and threw them into a vSploit module.

This module is available for download at my GitHub account: https://github.com/threatagent/vSploit/blob/master/vSploit/dns_red.rb

I believe that it is essential that organizations, especially DoD and .Gov agencies are able to detect suspicious domains like the following. The process is simple 1) Run the vSploit module 2) Is your DNS logging/ monitoring/ picking up this activity?

If you can't see the activity you need to put something in place to make that happen.

vSploit filestream

If you are familiar with what's going on with current attacks, you may know that attackers tend to compress files, ie. encrypted RAR files and exfiltrate. Many times attackers are able to send these in plain text over networks without detection. I don't know too many places, especially government related, that run RAR software on their network. I could be totally wrong on that point, but I haven't seen it. The filestream module sends datastreams to emulate malicious files by sending a matching file header with hex padding.

The module currently sends filestreams emulating EXE (Windows Executables), ZIP (ZIP Archives), RAR (RAR Archives), and ELF (Linux/UNIX Executables). This module works with TCP/UDP and requires a listener port. Although the filetypes may be common in some environments, there are definitely cases where they shouldn't be traversing networks. Regardless, organizations should be able to see this activity.

GitHub link: https://github.com/threatagent/vSploit/blob/master/vSploit/vsploit_filestream.rb

Wireshark capture of RAR filestream:

These modules can definitely help some environments. As always I've love your feedback. Please leave a comment below.