Potential Meterpreter/CobaltStrike Activity
Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
Sigma rule (View on GitHub)
1title: Potential Meterpreter/CobaltStrike Activity
2id: 15619216-e993-4721-b590-4c520615a67d
3status: test
4description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
5references:
6 - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
7 - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
8author: Teymur Kheirkhabarov, Ecco, Florian Roth
9date: 2019-10-26
10modified: 2023-02-05
11tags:
12 - attack.privilege-escalation
13 - attack.t1134.001
14 - attack.t1134.002
15logsource:
16 category: process_creation
17 product: windows
18detection:
19 selection_img:
20 ParentImage|endswith: '\services.exe'
21 selection_technique_1:
22 # Examples:
23 # Meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
24 # CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
25 # CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
26 CommandLine|contains|all:
27 - '/c'
28 - 'echo'
29 - '\pipe\'
30 CommandLine|contains:
31 - 'cmd'
32 - '%COMSPEC%'
33 selection_technique_2:
34 # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
35 CommandLine|contains|all:
36 - 'rundll32'
37 - '.dll,a'
38 - '/p:'
39 filter_defender:
40 CommandLine|contains: 'MpCmdRun'
41 condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
42fields:
43 - ComputerName
44 - User
45 - CommandLine
46falsepositives:
47 - Commandlines containing components like cmd accidentally
48 - Jobs and services started with cmd
49level: high
References
Related rules
- Meterpreter or Cobalt Strike Getsystem Service Installation - Security
- Meterpreter or Cobalt Strike Getsystem Service Installation - System
- HackTool - Koh Default Named Pipe
- HackTool - SharpDPAPI Execution
- HackTool - SharpImpersonation Execution