Meterpreter or Cobalt Strike Getsystem Service Installation

 1title: Meterpreter or Cobalt Strike Getsystem Service Installation
 2id: d585ab5a-6a69-49a8-96e8-4a726a54de46
 3related:
 4    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
 5      type: derived
 6status: unsupported
 7description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
 8references:
 9    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
11author: Teymur Kheirkhabarov, Ecco, Florian Roth
12date: 2019/10/26
13modified: 2022/12/22
14tags:
15    - attack.privilege_escalation
16    - attack.t1134.001
17    - attack.t1134.002
18logsource:
19    product: windows
20    category: driver_load
21detection:
22    selection:
23        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
24        - ImagePath|contains|all:
25            - 'cmd'
26            - '/c'
27            - 'echo'
28            - '\pipe\'
29        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
30        - ImagePath|contains|all:
31            - '%COMSPEC%'
32            - '/c'
33            - 'echo'
34            - '\pipe\'
35        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
36        - ImagePath|contains|all:
37            - 'cmd.exe'
38            - '/c'
39            - 'echo'
40            - '\pipe\'
41        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
42        - ImagePath|contains|all:
43            - 'rundll32'
44            - '.dll,a'
45            - '/p:'
46    condition: selection
47fields:
48    - ComputerName
49    - SubjectDomainName
50    - SubjectUserName
51    - ImagePath
52falsepositives:
53    - Highly unlikely
54level: critical```