detection.wiki

Detection rules › Sigma

CMSTP UAC Bypass via COM Object Access

Severity
high
Author
Nik Seetharaman, Christian Burkard (Nextron Systems)
Source
upstream

Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)

MITRE ATT&CK coverage

TacticTechniques
Privilege EscalationT1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control
Defense EvasionT1218.003 System Binary Proxy Execution: CMSTP, T1548.002 Abuse Elevation Control Mechanism: Bypass User Account Control

Event coverage

ProviderEvent IDTitle
Sysmon1Process creation

Stages and Predicates

Stage 1: selection

IntegrityLevel: [High, S-1-16-12288, S-1-16-16384, System]
or:
ParentCommandLine|contains: ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
ParentCommandLine|contains: ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
ParentCommandLine|contains: ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}'
ParentCommandLine|contains: ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
ParentCommandLine|contains: ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}'
ParentImage|endswith: '\DllHost.exe'

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

FieldKindValues
IntegrityLeveleq
  • High corpus 16 (sigma 16)
  • S-1-16-12288 corpus 16 (sigma 16)
  • S-1-16-16384 corpus 21 (sigma 21)
  • System corpus 21 (sigma 21)
ParentCommandLinematch
  • /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}
  • /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
  • /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}
  • /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}
  • /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}
ParentImageends_with
  • \DllHost.exe corpus 2 (sigma 2)