Meterpreter or Cobalt Strike Getsystem Service Installation - Security

calendar Aug 12, 2024 · attack.privilege-escalation attack.t1134.001 attack.t1134.002  ·
Share on: linkedin copy

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

Sigma rule (View on GitHub)

 1title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
 2id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
 3related:
 4    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
 5      type: derived
 6status: test
 7description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
 8references:
 9    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
11author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
12date: 2019-10-26
13modified: 2023-11-15
14tags:
15    - attack.privilege-escalation
16    - attack.t1134.001
17    - attack.t1134.002
18logsource:
19    product: windows
20    service: security
21    definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
22detection:
23    selection_eid:
24        EventID: 4697
25    selection_cli_cmd:
26        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
27        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
28        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
29        ServiceFileName|contains|all:
30            - '/c'
31            - 'echo'
32            - '\pipe\'
33        ServiceFileName|contains:
34            - 'cmd'
35            - '%COMSPEC%'
36    selection_cli_rundll:
37        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
38        ServiceFileName|contains|all:
39            - 'rundll32'
40            - '.dll,a'
41            - '/p:'
42    selection_cli_share:
43        ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\'  # https://twitter.com/svch0st/status/1413688851877416960?lang=en
44    condition: selection_eid and 1 of selection_cli_*
45falsepositives:
46    - Unlikely
47level: high

References

Related rules

to-top