detection.wiki

Detection rules › Sigma

Meterpreter or Cobalt Strike Getsystem Service Installation - Security

Severity
high
Author
Teymur Kheirkhabarov, Ecco, Florian Roth (Nextron Systems)
Source
upstream

Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1134.001 Access Token Manipulation: Token Impersonation/Theft, T1134.002 Access Token Manipulation: Create Process with Token
Defense EvasionT1134.001 Access Token Manipulation: Token Impersonation/Theft, T1134.002 Access Token Manipulation: Create Process with Token

Event coverage

ProviderEvent IDTitle
Security-Auditing4697A service was installed in the system.

Stages and Predicates

Stage 1: selection_eid

Stage 2: 1 of selection_cli_cmd

or:
ServiceFileName|contains: '%COMSPEC%'
ServiceFileName|contains: cmd
ServiceFileName|contains: '/c'
ServiceFileName|contains: '\pipe\'
ServiceFileName|contains: echo

Stage 3: 1 of selection_cli_rundll

ServiceFileName|contains: '.dll,a'
ServiceFileName|contains: '/p:'
ServiceFileName|contains: rundll32

Stage 4: 1 of selection_cli_share

ServiceFileName|startswith: '\\\\127.0.0.1\\ADMIN$\'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
ServiceFileNamematch
  • %COMSPEC% corpus 2 (sigma 2)
  • .dll,a
  • /c corpus 3 (sigma 3)
  • /p:
  • \pipe\
  • cmd corpus 5 (sigma 5)
  • echo
  • rundll32 corpus 2 (sigma 2)
ServiceFileNamestarts_with
  • \\\\127.0.0.1\\ADMIN$\

Neighbors

Stricter alternatives (narrower than this rule)

The rules below may be useful if you find the current rule is too noisy / lacks specificity.