{
	"id": "a3b4f000-060f-4088-8505-26431df203fd",
	"created_at": "2026-04-06T00:18:09.07967Z",
	"updated_at": "2026-04-10T03:21:00.489332Z",
	"deleted_at": null,
	"sha1_hash": "0bbb3afedc09baea5110858ddf7f090a05cac070",
	"title": "Hunting for GetSystem commands in offensive security tools",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 59027,
	"plain_text": "Hunting for GetSystem commands in offensive security tools\r\nBy susannah.matt@redcanary.com\r\nArchived: 2026-04-05 20:12:02 UTC\r\nDue to its privileges, the Windows NT AUTHORITY\\SYSTEM account is a juicy target for adversaries across all\r\nversions of Windows operating systems. The SYSTEM account is the highest level administrator for a host. When\r\na user is a standard member of the Administrators Windows group, User Account Control (UAC) and certain\r\nsecurity boundaries still apply to slow down potentially unauthorized activity. No such boundaries apply to the\r\nSYSTEM account on a local system, allowing it to make changes to a system as needed.\r\nWhat is GetSystem?\r\nWindows Services often need this level of privilege for system management. Client management and deployment\r\nproducts often use SYSTEM to allow software installations. Security software often uses SYSTEM to peer into\r\nthe activity of other users on a system, a use case that also appeals to adversaries. When using SYSTEM, an\r\nadversary can monitor and manipulate data from any other user on that local computer. While this account doesn’t\r\nallow an adversary network access to log on to other computers, it does allow the adversary to execute credential\r\naccess attacks against files and memory on a computer to compromise credentials for network access. This is\r\ncommonly seen with attacks that use tools like Mimikatz. In the really unfortunate cases where adversaries gain\r\naccess to the SYSTEM account on Active Directory domain controllers, they can grab credentials for any users\r\nwithin the domain and manipulate Active Directory to add accounts for themselves.\r\nThis is why many offensive security tools include a command named getsystem or similar. These commands\r\nmake those tools try one or more things to elevate privileges to that SYSTEM account so the adversary can own\r\neverything on the victim host.\r\nGetSystem in Meterpreter \u0026 Cobalt Strike’s Beacon\r\nTwo of the most prevalent adversary tools that Red Canary sees on a weekly basis are Metasploit’s Meterpreter\r\npayload and Cobalt Strike’s Beacon. These payloads serve as malicious agents for adversaries to manage and\r\ncontrol victim computers. Interestingly, both of them implement a getsystem command into their payloads in an\r\nincredibly similar manner using multiple methods.\r\nBoth tools first attempt to use “named pipe impersonation” to achieve SYSTEM privileges. This involves creating\r\na Windows Service to execute as NT AUTHORITY\\SYSTEM and feeding data to it through a named pipe that is\r\nrandomly created by the malicious payload. An in-depth explanation of this technique can be found here.\r\nHunting tips\r\nIn the case of Cobalt Strike’s Beacon, the Windows services.exe process will execute cmd.exe with a\r\ncommand line like this:\r\nhttps://redcanary.com/blog/getsystem-offsec/\r\nPage 1 of 3\n\ncmd.exe /c echo ba80ae80df9 \u003e \\\\.\\pipe\\66bee3\r\nMetasploit’s Meterpreter also presents itself in a predictable way spawning from services.exe :\r\ncmd.exe /c echo fvxens \u003e \\\\.\\pipe\\fvxens\r\nYou can easily hunt for this behavior with two evidence sources: process monitoring data or Windows Event Logs.\r\nWith process monitoring, hunt for processes matching these criteria:\r\nparent process is services.exe\r\nprocess name is cmd.exe\r\ncommand line includes echo AND \\pipe\\\r\nWith Windows Event Logs, search for events with the ID 7045 that match these criteria:\r\nServiceFileName contains cmd.exe OR %COMSPEC%\r\nServiceFileName contains echo AND \\pipe\\\r\nBoth of these hunts will reliably find adversaries using named pipe impersonation from both tools. The second\r\nGetSystem method uses rundll32.exe and a few hardcoded command line options to execute a DLL for\r\nprivilege escalation. Thankfully, the command line options are consistent and appear similar to this:\r\nrundll32.exe C:\\Users\\user\\AppData\\Local\\Temp\\fvxens.dll,a /p:fvxens\r\nAs with named pipe impersonation, you can use process monitoring to hunt for this. Look for processes matching\r\nthese criteria:\r\nprocess name is rundll32.exe\r\ncommand line includes ,a /p:\r\nIn addition to these methods, both tools also support a third method that involves token manipulation. The first\r\ntwo methods seem to be more prevalent than the third. However, the token manipulation method isn’t readily\r\nobservable via process monitoring data, so we don’t have a great deal of visibility into it. It’s not entirely clear\r\nwhether a perceived lack of token manipulation is representative of reality or the result of our blindspots.\r\nGetSystem in Empire \u0026 PoshC2\r\nAs with Metasploit and Cobalt Strike, we see GetSystem commands in Empire and PoshC2—but to a slightly\r\nlesser extent. Both advanced and opportunistic adversaries use these tools in the wild and they implement\r\ngetsystem using PowerShell. Both tools have adopted the Get-System.ps1 script from the PowerSploit project,\r\nand it also has a distinct command line to conduct named pipe impersonation:\r\ncmd.exe /C start %COMSPEC% /C `\"timeout /t 3 \u003enul\u0026\u0026echo TestSVC \u003e \\\\.\\pipe\\TestSVC`\r\nhttps://redcanary.com/blog/getsystem-offsec/\r\nPage 2 of 3\n\nThe beautiful thing about this similarity is that you can reuse the first hunts for named pipe impersonation in\r\nMetasploit and Cobalt Strike to also search for named pipe impersonation from Empire and PoshC2!\r\nWhat you can look for now\r\nIf you’re looking for a reliable, high-fidelity way to alert on Metasploit Meterpreter, Cobalt Strike Beacon,\r\nEmpire, or PoshC2 GetSystem activities you can implement these hunts today:\r\nparent process is services.exe\r\nprocess name is cmd.exe\r\ncommand line includes echo AND \\pipe\\\r\nEvent ID 7045\r\nServiceFileName contains cmd.exe OR %COMSPEC%\r\nServiceFileName contains echo AND \\pipe\\\r\nHappy hunting!\r\nSource: https://redcanary.com/blog/getsystem-offsec/\r\nhttps://redcanary.com/blog/getsystem-offsec/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://redcanary.com/blog/getsystem-offsec/"
	],
	"report_names": [
		"getsystem-offsec"
	],
	"threat_actors": [],
	"ts_created_at": 1775434689,
	"ts_updated_at": 1775791260,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/0bbb3afedc09baea5110858ddf7f090a05cac070.pdf",
		"text": "https://archive.orkl.eu/0bbb3afedc09baea5110858ddf7f090a05cac070.txt",
		"img": "https://archive.orkl.eu/0bbb3afedc09baea5110858ddf7f090a05cac070.jpg"
	}
}