Metasploit Payload

Hunt Hypothesis

The Metasploit Payload detection rule identifies potential exploitation attempts using Metasploit-generated payloads, which may indicate initial compromise or reconnaissance by an adversary. SOC teams should proactively hunt for this behavior in Azure Sentinel to detect early-stage attacks that leverage known exploit frameworks and evade traditional detection methods.

YARA Rule

rule Metasploit_Payload
{
meta:
author = "https://www.twitter.com/SadFud75"
information = "Detection of payloads generated with metasploit"
strings:
$s1 = "-com.metasploit.meterpreter.AndroidMeterpreter"
$s2 = ",Lcom/metasploit/stage/MainBroadcastReceiver;"
$s3 = "#Lcom/metasploit/stage/MainActivity;"
$s4 = "Lcom/metasploit/stage/Payload;"
$s5 = "Lcom/metasploit/stage/a;"
$s6 = "Lcom/metasploit/stage/c;"
$s7 = "Lcom/metasploit/stage/b;"
condition:
androguard.package_name("com.metasploit.stage") or any of them
}

Deployment Notes

This YARA rule can be deployed in the following contexts:

• Microsoft Defender for Endpoint — Custom indicators / advanced hunting
• Email Gateway — Attachment scanning
• File Share Monitoring — Periodic scanning of shared drives
• YARA CLI — Manual threat hunting on endpoints

This rule contains 7 string patterns in its detection logic.

• Source Rule

False Positive Guidance

• Scenario: System update using msfupdate
  Description: A legitimate system administration task where the Metasploit framework is used to update its own payload libraries.
  Filter/Exclusion: Check for the presence of msfupdate in the command line or process name, or filter by process parent ID (e.g., systemd or init).

• Scenario: Scheduled job running a known benign payload
  Description: A scheduled task that executes a legitimate payload (e.g., msfvenom or msfconsole) as part of a routine security testing or patching process.
  Filter/Exclusion: Filter by command line arguments containing --no-execute or --dry-run, or by checking the user context (e.g., root or admin with known permissions).

• Scenario: Admin using Metasploit for penetration testing
  Description: A security team member using Metasploit to perform authorized penetration testing on internal systems.
  Filter/Exclusion: Filter by user context (e.g., security-team or pentester), or by checking for presence of a valid penetration testing certificate or token in the environment.

• Scenario: Metasploit payload used in a training environment
  Description: A training lab where Metasploit is used to simulate attack scenarios for educational purposes.
  Filter/Exclusion: Filter by IP range (e.g., 192.168.50.0/24) or by checking for presence of a training environment identifier in the system logs.

• Scenario: Legacy system using old Metasploit modules for compatibility
  Description: An older system or application that relies on outdated Metasploit modules for backward compatibility or legacy functionality.
  Filter/Exclusion: Filter by module name or version (e.g., `ms