Potential Meterpreter/CobaltStrike Activity

 1title: Potential Meterpreter/CobaltStrike Activity
 2id: 15619216-e993-4721-b590-4c520615a67d
 3status: test
 4description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 7    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
 8author: Teymur Kheirkhabarov, Ecco, Florian Roth
 9date: 2019-10-26
10modified: 2023-02-05
11tags:
12    - attack.defense-evasion
13    - attack.privilege-escalation
14    - attack.t1134.001
15    - attack.t1134.002
16logsource:
17    category: process_creation
18    product: windows
19detection:
20    selection_img:
21        ParentImage|endswith: '\services.exe'
22    selection_technique_1:
23        # Examples:
24        #   Meterpreter  getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
25        #   CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
26        #   CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
27        CommandLine|contains|all:
28            - '/c'
29            - 'echo'
30            - '\pipe\'
31        CommandLine|contains:
32            - 'cmd'
33            - '%COMSPEC%'
34    selection_technique_2:
35        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
36        CommandLine|contains|all:
37            - 'rundll32'
38            - '.dll,a'
39            - '/p:'
40    filter_defender:
41        CommandLine|contains: 'MpCmdRun'
42    condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
43fields:
44    - ComputerName
45    - User
46    - CommandLine
47falsepositives:
48    - Commandlines containing components like cmd accidentally
49    - Jobs and services started with cmd
50level: high