Execution of a Command via a SYSTEM Service

Detect the usage of an intermediate service used to launch a SYSTEM-level command via cmd.exe or powershell.exe.

id:dcb72010-c3f5-42bc-bc5e-f4f015aed1e8
categories:detect
confidence:medium
os:windows
created:11/30/2018
updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation
techniques:T1035 Service Execution, T1050 New Service

Query

registry where
    key_path == "*\\System\\*ControlSet*\\Services\\*\\ImagePath"
    and wildcard(bytes_written_string, "*%COMSPEC%*", "*cmd.exe*", "*powershell*", "*cmd *")

Contributors