Techniques
Sample rules
CMLUA Or CMSTPLUA UAC Bypass
- source: splunk
- technicques:
- T1218
- T1218.003
Description
The following analytic detects the use of COM objects like CMLUA or CMSTPLUA to bypass User Account Control (UAC). It leverages Sysmon EventCode 7 to identify the loading of specific DLLs (CMLUA.dll, CMSTPLUA.dll, CMLUAUTIL.dll) by processes not typically associated with these libraries. This activity is significant as it indicates an attempt to gain elevated privileges, a common tactic used by ransomware adversaries. If confirmed malicious, this could allow attackers to execute code with administrative rights, leading to potential system compromise and further malicious activities.
Detection logic
`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*"))
| stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cmlua_or_cmstplua_uac_bypass_filter`