Meterpreter or Cobalt Strike Getsystem Service Installation - Security
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Sigma rule (View on GitHub)
1title: Meterpreter or Cobalt Strike Getsystem Service Installation - Security
2id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
3related:
4 - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
5 type: derived
6status: test
7description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
8references:
9 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
10 - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
11author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
12date: 2019-10-26
13modified: 2023-11-15
14tags:
15 - attack.defense-evasion
16 - attack.privilege-escalation
17 - attack.t1134.001
18 - attack.t1134.002
19logsource:
20 product: windows
21 service: security
22 definition: The 'System Security Extension' audit subcategory need to be enabled to log the EID 4697
23detection:
24 selection_eid:
25 EventID: 4697
26 selection_cli_cmd:
27 # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
28 # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
29 # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
30 ServiceFileName|contains|all:
31 - '/c'
32 - 'echo'
33 - '\pipe\'
34 ServiceFileName|contains:
35 - 'cmd'
36 - '%COMSPEC%'
37 selection_cli_rundll:
38 # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
39 ServiceFileName|contains|all:
40 - 'rundll32'
41 - '.dll,a'
42 - '/p:'
43 selection_cli_share:
44 ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
45 condition: selection_eid and 1 of selection_cli_*
46falsepositives:
47 - Unlikely
48level: high
References
-
Slides from my talk at the OFFZONE 2018 conference (https://www.offzone.moscow/report/hunting-for-privilege-escalation-in-windows-environment/)
Read More -
The Cobalt Strike Blog. Read new featured content, get updates on the latest patches, and insights into the future of red teaming tools.
Read More
Related rules
- Meterpreter or Cobalt Strike Getsystem Service Installation - System
- Potential Meterpreter/CobaltStrike Activity
- HackTool - Koh Default Named Pipe
- HackTool - NoFilter Execution
- Suspicious Child Process Created as System