Potential Meterpreter/CobaltStrike Activity

 1title: Potential Meterpreter/CobaltStrike Activity
 2id: 15619216-e993-4721-b590-4c520615a67d
 3status: test
 4description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
 5references:
 6    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
 7    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
 8author: Teymur Kheirkhabarov, Ecco, Florian Roth
 9date: 2019-10-26
10modified: 2023-02-05
11tags:
12    - attack.privilege-escalation
13    - attack.t1134.001
14    - attack.t1134.002
15logsource:
16    category: process_creation
17    product: windows
18detection:
19    selection_img:
20        ParentImage|endswith: '\services.exe'
21    selection_technique_1:
22        # Examples:
23        #   Meterpreter  getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
24        #   CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
25        #   CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
26        CommandLine|contains|all:
27            - '/c'
28            - 'echo'
29            - '\pipe\'
30        CommandLine|contains:
31            - 'cmd'
32            - '%COMSPEC%'
33    selection_technique_2:
34        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
35        CommandLine|contains|all:
36            - 'rundll32'
37            - '.dll,a'
38            - '/p:'
39    filter_defender:
40        CommandLine|contains: 'MpCmdRun'
41    condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
42fields:
43    - ComputerName
44    - User
45    - CommandLine
46falsepositives:
47    - Commandlines containing components like cmd accidentally
48    - Jobs and services started with cmd
49level: high