What they don't tell is how to block the in-memory Metasploit payload, isn't it true that it runs inside a certain process, like powershell.exe? So if you restrict these processes, it shouldn't be able to perform certain activities. I hate it when they don't explain this stuff.
Based on the below, it appears to be a classical PowerShell based .Net attack. Monitoring PowerShell execution would have stopped it. If not so, setting PowerShell to Constrained Language mode would have stopped it. Also, blocking any outbound network traffic from PowerShell would have stopped it. Once the payload is loaded into memory and executed, the only thing that will stop it is if your security product has a memory scanner and a sig for the payload. Since this post-execution detection, the malware could have done system modification or data harvesting activities prior to detection. Again, you need to stop this type of malware prior to payload execution.
