Release Context: The Rapid7 Metasploit team has announced a shift in their reporting cadence, but the technical output remains aggressive. This wrap-up highlights two significant capabilities that lower the barrier to entry for attackers: a new Linux payload family that automates architecture targeting and enhancements to HTTP-to-SMB relay attacks. For defenders, this translates to a need for improved network segmentation and stricter monitoring of Linux process execution chains.
Introduction
The evolution of offensive tools often presages the next wave of automated threats. This week's Metasploit update introduces the "Fetch Multi" malicious code family for Linux. Traditionally, attackers exploiting a Linux server had to first identify the target's architecture (x86, x64, ARM, etc.) before delivering the correct payload. This new payload automates that identification and retrieval process in a single step. Simultaneously, updates to HTTP-to-SMB relay modules breathe new life into classic NTLM relay attacks, allowing attackers to compromise internal Windows infrastructure via exposed web services. Defenders must act now to update signatures and restrict outbound internet access from critical Linux workloads.
Technical Analysis
1. Linux Fetch Multi Payload
- Affected Platforms: Linux (All architectures).
- Capability: The new
linux/x86/meterpreter/fetch_multi(and similar variants) generates a command that, upon execution, identifies the host architecture on-the-fly. It then reaches out to a controlled HTTP server to download the correct stageless Meterpreter payload. - Attack Chain:
- Initial Exploit (e.g., web app vuln or misconfiguration) gains basic code execution.
- Attacker deploys "Fetch Multi" stub.
- Stub runs
uname -mor equivalent to detect architecture. - Stub uses
curlorwgetto pull the specific binary from the attacker's server. - Binary is executed in memory or dropped to disk.
- Impact: This significantly speeds up post-exploitation on Linux, allowing attackers to automate the compromise of heterogeneous environments (mixing x86 servers and ARM IoT devices) with a single command.
2. HTTP to SMB Relay
- Capability: While specific details were truncated in the source, the title refers to modules facilitating NTLM relaying from an HTTP endpoint (like a web server) to an SMB service (like a Domain Controller).
- Attack Vector:
- Attacker positions themselves to intercept HTTP requests (e.g., via a phishing link or man-in-the-middle).
- Victim authenticates to the attacker's HTTP listener.
- Framework relays the NTLM handshake to a target SMB server.
- If SMB signing is not enforced, the attacker gains session access.
- Severity: High. This technique can lead to Domain Controller compromise and full ransomware deployment.
Detection & Response
SIGMA Rules
---
title: Potential Linux Fetch Multi Payload Activity
id: 9a8b7c6d-5e4f-3a2b-1c0d-9e8f7a6b5c4d
status: experimental
description: Detects suspicious Linux process chains where architecture probing (uname) is followed immediately by a network fetch tool (curl/wget) and execution. Typical of Metasploit Fetch Multi payloads.
references:
- https://www.rapid7.com/blog/post/pt-metasploit-wrap-up-an-http-to-smb-relay-plus-payload-improvements
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection:
ParentImage|endswith:
- '/sh'
- '/bash'
CommandLine|contains:
- 'uname -m'
- 'arch'
condition: selection | count() > 0
falsepositives:
- Legitimate system administration scripts
level: medium
---
title: Linux Direct Web Request to Shell Execution
id: b1c2d3e4-5f6a-7b8c-9d0e-1f2a3b4c5d6e
status: experimental
description: Detects the direct use of curl or wget piping data into a shell, a common indicator of "Fetch" style payloads.
references:
- https://attack.mitre.org/techniques/T1059/004/
author: Security Arsenal
date: 2026/04/06
tags:
- attack.execution
- attack.t1059.004
logsource:
category: process_creation
product: linux
detection:
selection_tools:
Image|endswith:
- '/curl'
- '/wget'
selection_flags:
CommandLine|contains:
- '| sh'
- '| bash'
- '| /bin/sh'
condition: all of selection_*
falsepositives:
- Legitimate developer bootstrapping scripts (rare in production)
level: high
KQL (Microsoft Sentinel / Defender)
This query hunts for the specific behavior of architecture checking followed by a web request, characteristic of the Fetch Multi logic.
kqln DeviceProcessEvents
| where Timestamp > ago(7d)
| where DeviceOS == "Linux"
| project Timestamp, DeviceName, InitiatingProcessFileName, ProcessCommandLine, FileName
| order by Timestamp asc
| serialize
| extend NextProcessName = next(FileName, 1), NextProcessCmd = next(ProcessCommandLine, 1)
| where ProcessCommandLine has_any ("uname", "arch") and (NextProcessName has_any ("curl", "wget") or NextProcessCmd has_any ("http", "https"))
| project Timestamp, DeviceName, "Detection" = "Fetch Multi Pattern", ReconProcess=FileName, ReconCmd=ProcessCommandLine, FetchProcess=NextProcessName, FetchCmd=NextProcessCmd
Velociraptor VQL
Hunt for processes that are children of common downloaders or suspicious shell invocations.
-- Hunt for Linux processes executing web requests directly in shell
SELECT Pid, Ppid, Name, Exe, CommandLine, Username
FROM pslist()
WHERE Name IN ('curl', 'wget', 'fetch')
AND CommandLine =~ '\|.*sh\s*$'
OR CommandLine =~ '\|.*bash\s*$'
Remediation Script (Bash)
A script to help identify and mitigate the risk of unauthorized payloads by auditing common downloaders and restricting execution.
#!/bin/bash
# Audit and Harden against Fetch-style payloads
# 1. Check for outbound internet connectivity from common shells (simulation)
# 2. Report on instances of curl/wget executing with pipes
echo "[+] Hunting for suspicious process activity..."
# Check for active processes matching the pattern
PIDS=$(pgrep -f "curl.*\|.*sh"; pgrep -f "wget.*\|.*sh")
if [ -n "$PIDS" ]; then
echo "[!] WARNING: Found suspicious processes piping web traffic to shell:"
ps -fp $PIDS
else
echo "[+] No suspicious piping processes found currently."
fi
# Recommend iptables rules to restrict outbound traffic for non-root users
echo ""
echo "[+] Recommendation: Restrict outbound HTTP/HTTPS for service accounts"
echo "Example iptables rule to block user 'www-data' from outbound internet on eth0:"
echo "iptables -A OUTPUT -o eth0 -m owner --uid-owner www-data -p tcp --dport 80 -j DROP"
echo "iptables -A OUTPUT -o eth0 -m owner --uid-owner www-data -p tcp --dport 443 -j DROP"
Remediation
-
Network Segmentation & Egress Filtering:
- Critical Action: Implement strict egress filtering. Linux servers, especially those running web services or databases, rarely need to initiate outbound connections to the public internet. Block outbound ports 80 and 443 from these segments except to specific update repositories.
- This directly neutralizes the "Fetch" payload capability, as the command will fail to download the stage.
-
SMB Hardening (Defense against Relay):
- SMB Signing: Ensure "Microsoft network server: Digitally sign communications (always)" is enabled on all Windows servers.
- NTLM Blocking: Where possible, disable NTLM authentication in favor of Kerberos. Use Windows Defender Credential Guard to prevent credential theft.
- LDAP Channel Binding: Enforce LDAP signing and channel binding on Domain Controllers to prevent relay attacks over port 389/636.
-
Linux Application Control:
- Utilize
fapolicyd(RHEL/CentOS) or AppArmor/SELinux to restrict which binaries can execute. Preventing the execution of unknown binaries downloaded bycurlorwgetis a high-value control.
- Utilize
-
Vulnerability Management:
- Scan web applications regularly. The initial vector for the HTTP relay is often a vulnerable web application. Patching web flaws prevents the attacker from getting the initial HTTP request they need to relay.
Executive Takeaways
- Automation is Accelerating: Tools like Metasploit are removing manual steps (like identifying architecture), allowing automated botnets to compromise Linux systems faster.
- Relay Attacks are Resurgent: The addition of HTTP-to-SMB modules in popular frameworks signals that attackers are looking for easy wins in internal networks via web services.
- Egress Controls are Vital: Stopping the exfiltration of data and the infiltration of tools (via fetch payloads) is best achieved by blocking outbound internet access from server segments.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.