CAR-2021-01-15: GetSystem in Meterpreter & Cobalt Strike & Empire & PoshC2 Beacon
sebastiendamaye opened this issue · comments
CAR-2021-01-15: GetSystem in Meterpreter & Cobalt Strike & Empire & PoshC2 Beacon
This Analytics is inspired from the excellent post from RedCanary available here.
Windows Services often need this level of privilege for system management. Client management and deployment products often use SYSTEM to allow software installations. Security software often uses SYSTEM to peer into the activity of other users on a system, a use case that also appeals to adversaries. When using SYSTEM, an adversary can monitor and manipulate data from any other user on that local computer. While this account doesn’t allow an adversary network access to log on to other computers, it does allow the adversary to execute credential access attacks against files and memory on a computer to compromise credentials for network access. This is commonly seen with attacks that use tools like Mimikatz. In the really unfortunate cases where adversaries gain access to the SYSTEM account on Active Directory domain controllers, they can grab credentials for any users within the domain and manipulate Active Directory to add accounts for themselves.
This is why many offensive security tools include a command named getsystem or similar. These commands make those tools try one or more things to elevate privileges to that SYSTEM account so the adversary can own everything on the victim host.
ATT&CK Coverage
| Technique | Level of Coverage |
|---|---|
| Abuse Elevation Control Mechanism | Moderate |
Data Model Mappings
| Object | Action | Field |
|---|---|---|
| process | create | command_line |
| process | create | exe |
Analytic Code
GetSystem in Meterpreter & Cobalt Strike’s Beacon
With process monitoring, hunt for processes matching these criteria:
- parent process is
services.exe - process name is
cmd.exe - command line includes
echoAND\pipe\
Examples:
cmd.exe /c echo ba80ae80df9 > \\.\pipe\66bee3
cmd.exe /c echo fvxens > \\.\pipe\fvxens
The second GetSystem method uses rundll32.exe and a few hardcoded command line options to execute a DLL for privilege escalation. Thankfully, the command line options are consistent and appear similar to this:
rundll32.exe C:\Users\user\AppData\Local\Temp\fvxens.dll,a /p:fvxens
As with named pipe impersonation, you can use process monitoring to hunt for this. Look for processes matching these criteria:
- process name is
rundll32.exe - command line includes
,a /p:
GetSystem in Empire & PoshC2
Example:
cmd.exe /C start %COMSPEC% /C `"timeout /t 3 >nul&&echo TestSVC > \\.\pipe\TestSVC`
- ServiceFileName contains
cmd.exeOR%COMSPEC% - ServiceFileName contains
echoAND\pipe\
Splunk Search (Splunk, Sysmon native)
Meterpreter and Cobalt Strike:
(
index=__your_sysmon_index__
ParentImage="C:\\Windows\\System32\\services.exe"
Image="C:\\Windows\\System32\\cmd.exe"
(CommandLine="*echo*" AND CommandLine="*\\pipe\\*")
) OR (
index=__your_sysmon_index__
Image="C:\\Windows\\System32\\rundll32.exe"
CommandLine="*,a /p:*"
)
Empire and PoshC2:
index=__your_sysmon_index__
(Image="C:\\Windows\\System32\\cmd.exe" OR CommandLine="*%COMSPEC%*")
(CommandLine="*echo*" AND CommandLine="*\pipe\*")
@sebastiendamaye thanks for the submission! This looks great; we'll convert to our YAML format for inclusion and will let you know if we have any questions.
Thanks again for the submission! This has been incorporated as of e527105.