Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
Sigma rule (View on GitHub)
1title: Bypass UAC via CMSTP
2id: e66779cc-383e-4224-a3a4-267eeb585c40
3status: test
4description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
5references:
6 - https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
7 - https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md
8 - https://lolbas-project.github.io/lolbas/Binaries/Cmstp/
9author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
10date: 2019-10-24
11modified: 2022-08-30
12tags:
13 - attack.privilege-escalation
14 - attack.defense-evasion
15 - attack.t1548.002
16 - attack.t1218.003
17logsource:
18 category: process_creation
19 product: windows
20detection:
21 selection_img:
22 - Image|endswith: '\cmstp.exe'
23 - OriginalFileName: 'CMSTP.EXE'
24 selection_cli:
25 CommandLine|contains:
26 - '/s'
27 - '-s'
28 - '/au'
29 - '-au'
30 - '/ni'
31 - '-ni'
32 condition: all of selection*
33fields:
34 - ComputerName
35 - User
36 - CommandLine
37falsepositives:
38 - Legitimate use of cmstp.exe utility by legitimate user
39level: high
References
-
-
Small and highly portable detection tests based on MITRE's ATT&CK. - redcanaryco/atomic-red-team
Read More -
Cmstp.exe is a living-of-the-land file containing unexpected functionality that can be abused by attackers; this page lists all its use cases.
Read More
Related rules
- CMSTP UAC Bypass via COM Object Access
- Bypass UAC Using DelegateExecute
- Bypass UAC Using SilentCleanup Task
- Bypass UAC via WSReset.exe
- Function Call From Undocumented COM Interface EditionUpgradeManager