Techniques
Sample rules
Bypass UAC via CMSTP
- source: sigma
- technicques:
- t1218
- t1218.003
- t1548
- t1548.002
Description
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
Detection logic
condition: all of selection*
selection_cli:
CommandLine|contains:
- /s
- -s
- /au
- -au
- /ni
- -ni
selection_img:
- Image|endswith: \cmstp.exe
- OriginalFileName: CMSTP.EXE