Execution of a Command via a SYSTEM Service

Detect the usage of an intermediate service used to launch a SYSTEM-level command via cmd.exe or powershell.exe.

id:dcb72010-c3f5-42bc-bc5e-f4f015aed1e8 categories:detect confidence:medium os:windows created:11/30/2018 updated:11/30/2018

MITRE ATT&CK™ Mapping

tactics:Privilege Escalation techniques:T1035 Service Execution, T1050 New Service

Query

registry where
    registry_path == "*\\System\\*ControlSet*\\Services\\*\\ImagePath"
    and wildcard(registry_data, "*%COMSPEC%*", "*cmd.exe*", "*powershell*", "*cmd *")

Detonation

Atomic Red Team: T1035

Contributors

• Endgame