split global win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml

2024-11-06 17:35:19 +00:00 · 2021-09-21 15:50:06 +02:00 · 2021-09-21 15:50:06 +02:00 · 9dbc71ca2f
commit 9dbc71ca2f
parent 0dd549ba67
3 changed files with 125 additions and 30 deletions
--- a/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/builtin/win_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@ -1,9 +1,9 @@
-action: global
 title: Meterpreter or Cobalt Strike Getsystem Service Installation
+id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
 description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
 author: Teymur Kheirkhabarov, Ecco, Florian Roth
 date: 2019/10/26
-modified: 2021/05/20
+modified: 2021/09/21
 references:
    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
@ -12,58 +12,42 @@ tags:
    - attack.t1134          # an old one
    - attack.t1134.001
    - attack.t1134.002
+logsource:
+    product: windows
+    service: system
 detection:
+    selection_id:
+        EventID: 7045
    selection:
        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
-        - ServiceFileName|contains|all:
+        - ImagePath|contains|all:
            - 'cmd'
            - '/c'
            - 'echo'
            - '\pipe\'
        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
-        - ServiceFileName|contains|all:
+        - ImagePath|contains|all:
            - '%COMSPEC%'
            - '/c'
            - 'echo'
            - '\pipe\'
        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
-        - ServiceFileName|contains|all:
+        - ImagePath|contains|all:
            - 'cmd.exe'
            - '/c'
            - 'echo'
            - '\pipe\'
        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
-        - ServiceFileName|contains|all:
+        - ImagePath|contains|all:
            - 'rundll32'
            - '.dll,a'
            - '/p:'
-    condition: selection
+    condition: selection_id and selection
 fields:
    - ComputerName
    - SubjectDomainName
    - SubjectUserName
-    - ServiceFileName
+    - ImagePath
 falsepositives:
    - Highly unlikely
 level: critical
---
-id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
-logsource:
-    product: windows
-    service: system
-detection:
-    selection:
-        EventID: 7045
---
-id: d585ab5a-6a69-49a8-96e8-4a726a54de46
-logsource:
-    product: windows
-    category: driver_load
---
-id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
-logsource:
-    product: windows
-    service: security
-detection:
-    selection:
-        EventID: 4697
--- a/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/builtin/win_security_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@ -0,0 +1,56 @@
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+id: ecbc5e16-58e0-4521-9c60-eb9a7ea4ad34
+related:
+    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+      type: derived
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+modified: 2021/09/21
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+tags:
+    - attack.privilege_escalation
+    - attack.t1134          # an old one
+    - attack.t1134.001
+    - attack.t1134.002
+logsource:
+    product: windows
+    service: security
+detection:
+    selection_id:
+        EventID: 4697
+    selection:
+        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
+        - ServiceFileName|contains|all:
+            - 'cmd'
+            - '/c'
+            - 'echo'
+            - '\pipe\'
+        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+        - ServiceFileName|contains|all:
+            - '%COMSPEC%'
+            - '/c'
+            - 'echo'
+            - '\pipe\'
+        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+        - ServiceFileName|contains|all:
+            - 'cmd.exe'
+            - '/c'
+            - 'echo'
+            - '\pipe\'
+        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
+        - ServiceFileName|contains|all:
+            - 'rundll32'
+            - '.dll,a'
+            - '/p:'
+    condition: selection_id and selection
+fields:
+    - ComputerName
+    - SubjectDomainName
+    - SubjectUserName
+    - ServiceFileName
+falsepositives:
+    - Highly unlikely
+level: critical
--- a/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
+++ b/rules/windows/driver_load/driver_load_meterpreter_or_cobaltstrike_getsystem_service_installation.yml
@ -0,0 +1,55 @@
+title: Meterpreter or Cobalt Strike Getsystem Service Installation
+id: d585ab5a-6a69-49a8-96e8-4a726a54de46
+related:
+    - id: 843544a7-56e0-4dcc-a44f-5cc266dd97d6
+      type: derived
+description: Detects the use of getsystem Meterpreter/Cobalt Strike command by detecting a specific service installation
+author: Teymur Kheirkhabarov, Ecco, Florian Roth
+date: 2019/10/26
+modified: 2021/09/21
+references:
+    - https://speakerdeck.com/heirhabarov/hunting-for-privilege-escalation-in-windows-environment
+    - https://blog.cobaltstrike.com/2014/04/02/what-happens-when-i-type-getsystem/
+tags:
+    - attack.privilege_escalation
+    - attack.t1134          # an old one
+    - attack.t1134.001
+    - attack.t1134.002
+id: d585ab5a-6a69-49a8-96e8-4a726a54de46
+logsource:
+    product: windows
+    category: driver_load
+detection:
+    selection:
+        # meterpreter getsystem technique 1: cmd.exe /c echo 559891bb017 > \\.\pipe\5e120a
+        - ImagePath|contains|all:
+            - 'cmd'
+            - '/c'
+            - 'echo'
+            - '\pipe\'
+        # cobaltstrike getsystem technique 1: %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+        - ImagePath|contains|all:
+            - '%COMSPEC%'
+            - '/c'
+            - 'echo'
+            - '\pipe\'
+        # cobaltstrike getsystem technique 1b (expanded %COMSPEC%): %COMSPEC% /c echo 559891bb017 > \\.\pipe\5e120a
+        - ImagePath|contains|all:
+            - 'cmd.exe'
+            - '/c'
+            - 'echo'
+            - '\pipe\'
+        # meterpreter getsystem technique 2: rundll32.exe C:\Users\test\AppData\Local\Temp\tmexsn.dll,a /p:tmexsn
+        - ImagePath|contains|all:
+            - 'rundll32'
+            - '.dll,a'
+            - '/p:'
+    condition: selection
+fields:
+    - ComputerName
+    - SubjectDomainName
+    - SubjectUserName
+    - ImagePath
+falsepositives:
+    - Highly unlikely
+level: critical