Is there any way to prevent meterpreter process migration.?
Asked
Active
Viewed 652 times
1
-
1Are you talking about the endpoint that has been compromised? – ISMSDEV May 27 '17 at 07:28
-
Yes....Like the attacker has already got the shell or else he somehow get access to open(unlocked) unattended machine... – Mashhoor Gulati May 28 '17 at 19:47
1 Answers
0
Based on this question, process migration requires the SeDebugPrivilege to create a thread attached to a remote process, so denying it should block the migration process. Sadly, there is no clear definition on how to do it, but seems like this privilege is part of the user / group privileges so using a non-admin user without this privilege should block process migration.
Also any advanced AV-System should be able to detect and block process migration, but I only tested it on Kaspersky which did block mirgration.
VincBreaker
- 881
- 1
- 6
- 13
-
In my case Kaspersky could not block.!! Though have not checked with any other yet. – Mashhoor Gulati May 28 '17 at 19:49
-
I've tuned my Kaspersky settings to do extensive behavior analytics, maybe that's required to block migration. – VincBreaker May 28 '17 at 19:52