-
-
Notifications
You must be signed in to change notification settings - Fork 2.1k
/
proc_creation_win_hktl_meterpreter_getsystem.yml
49 lines (49 loc) · 1.79 KB
/
proc_creation_win_hktl_meterpreter_getsystem.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
title: Potential Meterpreter/CobaltStrike Activity
id: 15619216-e993-4721-b590-4c520615a67d
status: test
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service starting
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
modified: 2023/02/05
tags:
- attack.privilege_escalation
- attack.t1134.001
- attack.t1134.002
logsource:
category: process_creation
product: windows
detection:
selection_img:
ParentImage|endswith: '\services.exe'
selection_technique_1:
# Examples:
# Meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1b (expanded env var): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
# CobaltStrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
CommandLine|contains|all:
- '/c'
- 'echo'
- '\pipe\'
CommandLine|contains:
- 'cmd'
- '%COMSPEC%'
selection_technique_2:
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
CommandLine|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
filter_defender:
CommandLine|contains: 'MpCmdRun'
condition: selection_img and 1 of selection_technique_* and not 1 of filter_*
fields:
- ComputerName
- User
- CommandLine
falsepositives:
- Commandlines containing components like cmd accidentally
- Jobs and services started with cmd
level: high