I'm hoping I can get some feedback from any that are more familiar with Metasploit than I am. Our End Point protection flagged the following yesterday on one of our machines:
User: NT AUTHORITY\SYSTEM
Scan: Scan Schedule
File "C:\Documents and Settings\Administrator\Application Data\msf3\data\meterpreter\ext_server_stdapi.dll"
I am trying to determine if the above indicates that someone tried to install the Metasploit framework on the system or is this the result of a successful exploit against that box?
Thanks much for any input.
Sponsored by: █ Sparkhost - Hosting Without Compromises! █ Hybrid Performance Web Hosting █ Spark Host Stream Hosting █ Hybrid IRC & IRCd Server Shell Accounts
Metasploit Question: Files Found On Network Host
1 reply to this topic
Posted 01 August 2012 - 01:07 PM
I'll close this after more research. Answer was that the Meterpreter payload on a compromised host only lives in memory and doesn't write to target drive. The above was the result of an install of an older version of Metasploit on that machine and the AV picked up that .dll because of a new sig addition to the .dat. The framework had been uninstalled but this .dll was left behind and finally triggered the AV following a new .dat release.
0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users