Meterpreter Getsystem Named Pipe Impersonation

Rule Info

Name
Meterpreter Getsystem Named Pipe Impersonation
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects Meterpreter getsystem command using named pipe impersonation technique. The attacker creates a named pipe and uses cmd.exe to write to it for privilege escalation.
Reference
https://docs.rapid7.com/metasploit/meterpreter-getsystem/
Date
2026-03-03 00:00:00
Modified
None
Id
e4a74a9a-5f4a-4c4e-8f3a-7b9d6c5e2a1f
Tags
attack.privilege-escalation attack.defense-evasion attack.t1134.001
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022