Execution of a Command via a SYSTEM Service¶
Detect the usage of an intermediate service used to launch a SYSTEM-level command via cmd.exe
or powershell.exe
.
id: | dcb72010-c3f5-42bc-bc5e-f4f015aed1e8 |
---|---|
categories: | detect |
confidence: | medium |
os: | windows |
created: | 11/30/2018 |
updated: | 11/30/2018 |
MITRE ATT&CK™ Mapping¶
tactics: | Privilege Escalation |
---|---|
techniques: | T1035 Service Execution, T1050 New Service |
Query¶
registry where
registry_path == "*\\System\\*ControlSet*\\Services\\*\\ImagePath"
and wildcard(registry_data, "*%COMSPEC%*", "*cmd.exe*", "*powershell*", "*cmd *")