Meterpreter or Cobalt Strike Getsystem Service Installation
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Sigma rule (View on GitHub)
1title: Meterpreter or Cobalt Strike Getsystem Service Installation
2id: d585ab5a-6a69-49a8-96e8-4a726a54de46
3related:
4 - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
5 type: derived
6status: unsupported
7description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10 - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
11author: Teymur Kheirkhabarov, Ecco, Florian Roth
12date: 2019/10/26
13modified: 2022/12/22
14tags:
15 - attack.privilege_escalation
16 - attack.t1134.001
17 - attack.t1134.002
18logsource:
19 product: windows
20 category: driver_load
21detection:
22 selection:
23 # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
24 - ImagePath|contains|all:
25 - 'cmd'
26 - '/c'
27 - 'echo'
28 - '\pipe\'
29 # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
30 - ImagePath|contains|all:
31 - '%COMSPEC%'
32 - '/c'
33 - 'echo'
34 - '\pipe\'
35 # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
36 - ImagePath|contains|all:
37 - 'cmd.exe'
38 - '/c'
39 - 'echo'
40 - '\pipe\'
41 # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
42 - ImagePath|contains|all:
43 - 'rundll32'
44 - '.dll,a'
45 - '/p:'
46 condition: selection
47fields:
48 - ComputerName
49 - SubjectDomainName
50 - SubjectUserName
51 - ImagePath
52falsepositives:
53 - Highly unlikely
54level: critical```
References
Related rules
- Potential Meterpreter/CobaltStrike Activity
- Detection of Possible Rotten Potato
- Suspicious Child Process Created as System
- CVE-2021-3156 Exploitation Attempt
- CVE-2021-3156 Exploitation Attempt Bruteforcing