/
win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
65 lines (65 loc) · 1.78 KB
/
win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
action: global
title: Meterpreter or Cobalt Strike Getsystem Service Installation
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
author: Teymur Kheirkhabarov
date: 2019/10/26
modified: 2019/11/11
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
tags:
- attack.privilege_escalation
- attack.t1134
detection:
selection:
- ServiceFileName|contains:
- 'cmd'
- 'comspec'
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- '%COMSPEC%'
- '/c'
- 'echo'
- '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ServiceFileName
falsepositives:
- Highly unlikely
level: critical
---
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
---
logsource:
product: windows
service: sysmon
detection:
selection:
EventID: 6
---
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697