This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Cookie Policy. Click Preferences to customize your cookie settings.
Payload missed
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- LIVEcommunity
- Discussions
- Cloud Delivered Security Services
- Endpoint (Traps) Discussions
- Re: Payload missed
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Printer Friendly Page
Payload missed
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-02-2018 04:28 AM - edited 05-02-2018 06:12 AM
Ladies & Gents,
I created a x64 payload.exe (internal testing) this payload creates a reverse_tcp on port 4444. So I uploaded my 'payload.exe' to my test machine with Traps 4.1.3 (39-2454 Content).
Thinking, Traps will shut this down, to my horror it just let it run, in fact Windows Smart Filter triggered at first and let me click on proceed. Which I did and in a few seconds I had a meterpreter session running on my Kali box.
So my concern is why didn't Traps pick up on this? I also uploaded to WF which said it was a benign file, how can a file that opens up a reserve shell be cosnidered benign?
I am not no coder just used the standard tools in Kali, which means if I can anyone can.
Really worrying that Traps let this through 😞
Darren
11 REPLIES 11
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-02-2018 05:41 AM
I too have had concerns around similar items, as in "wtf, seriously" moments. I know that doesn't help you but just sayin' I share your concern.
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-02-2018 06:15 AM - edited 05-02-2018 06:16 AM
Yep I'm with you.
Biggest concern I have flagged this in WF as the wrong result, and left a message. It would be nice if someone from PA came back and said, yep we have this info and we are working on this or 'OMG you are right, nice spot'
I'm starting to think my over confidence in Traps was misplaced.
Darren
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-02-2018 09:54 AM
What was the hash on the file?
Options
- Mark as New
- Subscribe to RSS Feed
- Permalink
05-04-2018 05:29 AM
E53A09E7DA85F128ADFA180428C504262DE14375116197358E7734B113E8F117
Darren
Related Content
- Digium Asterisk WebSocket Frame Empty Payload Denial-of-Service Vulnerabi in Threat & Vulnerability Discussions
- Ripple20 Vulnerability Group in Threat & Vulnerability Discussions
- Traps management service connection from special security zone. in Endpoint (Traps) Discussions
- Latest TRAPS Content Update missing from Dynamic Updates in Endpoint (Traps) Discussions
- Threat blocked by Palo Alto: Is there anything else to do? in Threat & Vulnerability Discussions
Like what you see?
Show your appreciation!
Click Like if a post is helpful to you or if you just want to show your support.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
LEGAL NOTICES
Copyright 2007 - 2023 - Palo Alto Networks