CMSTP UAC Bypass via COM Object Access

 1title: CMSTP UAC Bypass via COM Object Access
 2id: 4b60e6f2-bf39-47b4-b4ea-398e33cfe253
 3status: stable
 4description: Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
 5references:
 6    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
 7    - https://twitter.com/hFireF0X/status/897640081053364225
 8    - https://medium.com/falconforce/falconfriday-detecting-uac-bypasses-0xff16-86c2a9107abf
 9    - https://github.com/hfiref0x/UACME
10author: Nik Seetharaman, Christian Burkard (Nextron Systems)
11date: 2019-07-31
12modified: 2022-09-21
13tags:
14    - attack.execution
15    - attack.defense-evasion
16    - attack.privilege-escalation
17    - attack.t1548.002
18    - attack.t1218.003
19    - attack.g0069
20    - car.2019-04-001
21logsource:
22    category: process_creation
23    product: windows
24detection:
25    selection:
26        ParentImage|endswith: '\DllHost.exe'
27        ParentCommandLine|contains:
28            - ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll
29            - ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL
30            - ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll
31            - ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll
32            - ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl
33        IntegrityLevel:
34            - 'High'
35            - 'System'
36    condition: selection
37falsepositives:
38    - Legitimate CMSTP use (unlikely in modern enterprise environments)
39level: high

References

• Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon. – Endur@nt

  COLLECTED BY Organization: Alexa Crawls Starting in 1996, Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the Wayback Machin...

  
  Read More

• x.com

  
  Read More

• FalconFriday — Detecting UAC Bypasses — 0xFF16

  

  Attackers often require full administrative privileges on a machine to be able to use their full attack capabilities. Many attacks…

  
  Read More

• GitHub - hfiref0x/UACME: Defeating Windows User Account Control

  

  Defeating Windows User Account Control. Contribute to hfiref0x/UACME development by creating an account on GitHub.

  
  Read More

Related rules

• CMSTP Execution Process Access
• CMSTP Execution Process Creation
• CMSTP Execution Registry Event
• Bypass UAC via CMSTP
• HackTool - Empire PowerShell UAC Bypass