valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-06 09:25:17 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

split global win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml

Browse Source
This commit is contained in:
frack113 2021-09-21 15:50:06 +02:00
parent 0dd549ba67
commit 9dbc71ca2f
3 changed files with 125 additions and 30 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

44
rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
View File

@ -1,9 +1,9 @@
action: global
title: Meterpreter or Cobalt Strike Getsystem Service Installation
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
modified: 2021/05/20
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
@ -12,58 +12,42 @@ tags:
- attack.t1134 # an old one
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: system
detection:
selection_id:
EventID: 7045
selection:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- ImagePath|contains|all:
- 'cmd'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- ImagePath|contains|all:
- '%COMSPEC%'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- ImagePath|contains|all:
- 'cmd.exe'
- '/c'
- 'echo'
- '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- ServiceFileName|contains|all:
- ImagePath|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection
condition: selection_id and selection
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ServiceFileName
- ImagePath
falsepositives:
- Highly unlikely
level: critical
---
id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
logsource:
product: windows
service: system
detection:
selection:
EventID: 7045
---
id: d585ab5a-6a69-49a8-96e8-4a726a54de46
logsource:
product: windows
category: driver_load
---
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
logsource:
product: windows
service: security
detection:
selection:
EventID: 4697
level: critical

56
rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml Normal file
View File

@ -0,0 +1,56 @@
title: Meterpreter or Cobalt Strike Getsystem Service Installation
id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
tags:
- attack.privilege_escalation
- attack.t1134 # an old one
- attack.t1134.001
- attack.t1134.002
logsource:
product: windows
service: security
detection:
selection_id:
EventID: 4697
selection:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- '%COMSPEC%'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ServiceFileName|contains|all:
- 'cmd.exe'
- '/c'
- 'echo'
- '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- ServiceFileName|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection_id and selection
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ServiceFileName
falsepositives:
- Highly unlikely
level: critical

55
rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml Normal file
View File

@ -0,0 +1,55 @@
title: Meterpreter or Cobalt Strike Getsystem Service Installation
id: d585ab5a-6a69-49a8-96e8-4a726a54de46
related:
- id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
type: derived
description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
author: Teymur Kheirkhabarov, Ecco, Florian Roth
date: 2019/10/26
modified: 2021/09/21
references:
- https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
- https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
tags:
- attack.privilege_escalation
- attack.t1134 # an old one
- attack.t1134.001
- attack.t1134.002
id: d585ab5a-6a69-49a8-96e8-4a726a54de46
logsource:
product: windows
category: driver_load
detection:
selection:
# meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
- ImagePath|contains|all:
- 'cmd'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ImagePath|contains|all:
- '%COMSPEC%'
- '/c'
- 'echo'
- '\pipe\'
# cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
- ImagePath|contains|all:
- 'cmd.exe'
- '/c'
- 'echo'
- '\pipe\'
# meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
- ImagePath|contains|all:
- 'rundll32'
- '.dll,a'
- '/p:'
condition: selection
fields:
- ComputerName
- SubjectDomainName
- SubjectUserName
- ImagePath
falsepositives:
- Highly unlikely
level: critical