Techniques
Sample rules
CMSTP UAC Bypass via COM Object Access
- source: sigma
- technicques:
- t1218
- t1218.003
- t1548
- t1548.002
Description
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Detection logic
condition: selection
selection:
IntegrityLevel:
- High
- System
ParentCommandLine|contains:
- ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}'
- ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}'
- ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}'
- ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}'
- ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}'
ParentImage|endswith: \DllHost.exe
CMSTP Execution Process Creation
- source: sigma
- technicques:
- t1218
- t1218.003
Description
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detection logic
condition: selection
selection:
ParentImage|endswith: \cmstp.exe
CMSTP Execution Registry Event
- source: sigma
- technicques:
- t1218
- t1218.003
Description
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detection logic
condition: selection
selection:
TargetObject|contains: \cmmgr32.exe
CMSTP Execution Process Access
- source: sigma
- technicques:
- t1218
- t1218.003
- t1559
- t1559.001
Description
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Detection logic
condition: selection
selection:
CallTrace|contains: cmlua.dll