Meterpreter Getsystem Service Installation Indicator

Rule Info

Name
Meterpreter Getsystem Service Installation Indicator
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the installation of a suspicious service with random name executing cmd.exe with pipe commands, indicative of Meterpreter getsystem technique using named pipe impersonation for privilege escalation.
Reference
https://docs.rapid7.com/metasploit/meterpreter-getsystem/
Date
2026-03-03 00:00:00
Modified
None
Id
9b1b8c0d-4e5f-5a6b-0c3d-2f4e6a8b9c0d
Tags
attack.privilege-escalation attack.defense-evasion attack.t1134.001 attack.execution attack.persistence attack.t1543.003
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022