legitimate windows application that are not on the list loading this dll. filter as needed.

Techniques

T1218.003

Sample rules

CMLUA Or CMSTPLUA UAC Bypass

source: splunk
technicques:
- T1218.003

Description

The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.

Detection logic

`sysmon` EventCode=7  ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `cmlua_or_cmstplua_uac_bypass_filter`

Windows Unusual Process Load Mozilla NSS-Mozglue Module

source: splunk
technicques:
- T1218.003

Description

The following analytic identifies processes loading Mozilla NSS-Mozglue libraries such as mozglue.dll and nss3.dll. It leverages Sysmon Event logs, specifically monitoring EventCode 7, which tracks image loaded events. This activity is significant because it can indicate unauthorized access or manipulation of these libraries, which are commonly used by Mozilla applications like Firefox and Thunderbird. If confirmed malicious, this could lead to data exfiltration, credential theft, or further compromise of the system.

Detection logic

`sysmon` EventCode=7  ImageLoaded IN ("*\\mozglue.dll", "*\\nss3.dll") NOT(process_path IN("*:\\Program Files\Mozilla Firefox\\firefox.exe", "*:\\Program Files (x86)\Mozilla Firefox\\firefox.exe", "*:\\Program Files\\Mozilla Thunderbird\\thunderbird.exe", "*:\\Program Files (x86)\\Mozilla Thunderbird\\thunderbird.exe", "*\\Tor Browser\\Browser\\firefox.exe","*:\\Program Files\\Code42\\CrashPlan\\Code42Service.exe", "*:\\Program Files (x86)\\Code42\\CrashPlan\\Code42Service.exe", "*:\\Program Files\\Pale Moon\\palemoon.exe", "*:\\Program Files (x86)\\Pale Moon\\palemoon.exe", "*:\\Program Files\\Waterfox\\waterfox.exe","*:\\Program Files (x86)\\Waterfox\\waterfox.exe", "*:\\Program Files\\Cyberfox\cyberfox.exe", "*:\\Program Files (x86)\\Cyberfox\\cyberfox.exe", "*\\AppData\\Local\\slack\\slack.exe", "*:\\Program Files (x86)\\VMware\\VMware Horizon View Client\\vmware-view.exe", "*:\\Program Files (x86)\\Dropbox\\Client\\Dropbox.exe", "*:\\Program Files\\Google\\Google Earth Pro\\client\\googleearth.exe")) 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime by Image ImageLoaded dest loaded_file loaded_file_path original_file_name process_exec process_guid process_hash process_id process_name process_path service_dll_signature_exists service_dll_signature_verified signature signature_id user_id vendor_product 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `windows_unusual_process_load_mozilla_nss_mozglue_module_filter`