Meterpreter or Cobalt Strike Getsystem Service Installation - System
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
Sigma rule (View on GitHub)
1title: Meterpreter or Cobalt Strike Getsystem Service Installation - System
2id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
3status: test
4description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
7 - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
8author: Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
9date: 2019-10-26
10modified: 2023-11-15
11tags:
12 - attack.privilege-escalation
13 - attack.t1134.001
14 - attack.t1134.002
15logsource:
16 product: windows
17 service: system
18detection:
19 selection_id:
20 Provider_Name: 'Service Control Manager'
21 EventID: 7045
22 selection_cli_cmd:
23 # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
24 # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
25 # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
26 ImagePath|contains|all:
27 - '/c'
28 - 'echo'
29 - '\pipe\'
30 ImagePath|contains:
31 - 'cmd'
32 - '%COMSPEC%'
33 selection_cli_rundll:
34 # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
35 ImagePath|contains|all:
36 - 'rundll32'
37 - '.dll,a'
38 - '/p:'
39 selection_cli_share:
40 ImagePath|startswith: '\\\\127.0.0.1\\ADMIN$\' # https://twitter.com/svch0st/status/1413688851877416960?lang=en
41 condition: selection_id and 1 of selection_cli_*
42falsepositives:
43 - Unlikely
44level: high
References
Related rules
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Potential Meterpreter/CobaltStrike Activity
- HackTool - Koh Default Named Pipe
- HackTool - SharpDPAPI Execution
- HackTool - SharpImpersonation Execution