Blackhat Arsenal 2012 Releases: MIRV (Metasploit’s Incident Response Vehicle) Released

Blackhat Arsenal 2012 Releases: MIRV (Metasploit’s Incident Response Vehicle) Released

MIRV (Metasploit’s Incident Response Vehicle) is a new tool (based on Metasploit’s meterpreter) which was created to address the perceived shortcomings in existing host-based incident response tools: they do not operate on large amounts of nodes, are difficult to get past change advisory boards that grant approval for deployment, are not stealthy and do not have the ability to be safely extended.  As opposed to permanent host monitoring agents, MIRV follows the principle of temporary militarisation – additional forces are deployed to a compromised area and withdrawn after the breach is contained.

Alongside with Alejandro (dotdotpwn dude) and Konrads (MIRV’s Author)

MIRV achieves this by offering the operator more introspection capabilities of the host. MIRV’s main design feature are the embedded Lua micro-agents to monitor various system activity events and the ability to act on those events using the full flexibility and safety of Lua. Metasploit’s meterpreter offers the  volatility to ease the deployment concerns as well as stealth to observe attacker behaviour

Features are roughly divided into two major sections – things driven by Lua and things filtered by Lua. Some emphasis is put on getting data that might not be available through conventional means, for example, if only successful or failed logins are recorded, then this information can perhaps be gleaned through other means.

Mass deployment

Metasploit console automation is used to deploy the MIRV/meterpreter agents. Given a list of computers and a set of valid credential, it uses psexec module to deploy agents. This creates only one artefact – the meterpreter executable which is deleted immediately after execution.

Lua micro agents

The core feature of MIRV is the Lua micro-agents.  MIRV allows the operator to run multiple Lua scripts, each in its own thread. Primary aim of micro agents is to allow operators to do ad-hoc monitoring of systems. They follow a poll-filter-report cycle, for example, the script periodically polls process list and check if new and exciting processes have appeared while ignoring boring and mundane ones. An alert is sent with the new process names. To make these scripts richer, some Win32 Lua extensions are built-in.

Windows log processing

Getting windows logs to a central collection machine is not always a trivial task – the sheer amount of logs may overwhelm available resources, installing forwarders and making changes is a no-no. The logs also are not available in easy to read format. MIRV provides an easy way to get just the right amount of logs wherever necessary: It reads log sources and presents each entry to a Lua filter. If the filter lets it through, the log entry is sent to the remote destination.

Basic rootkit detection

To catch a maniac, one must send a maniac. Metasploit implements primitive rootkit detection – it looks for other instances of Meterpreter based on names of dlls used.

Terminal Services client shared inspection

Terminal Servies (TS) clients offer the ability to share the client’s local disks with the server, mapping them in the server’s namespace under \\tsclient UNC path. This offers an opportunity to inspect and modify the client’s drive contents. Operator has the opportunity to execute a Lua hook every time a new disk becomes available.

Dynamic hook injection

Some really useful information is only available in the application. We, therefore use hooks to intercept stuff and filter through Lua!

More Information about MIRV

Next Interview (ToolsTube) with Konrads Smelkovs

NJ Ouchn

"Passion is needed for any great work, and for the revolution, passion and audacity are required in big doses"