Techniques
Sample rules
CMLUA Or CMSTPLUA UAC Bypass
- source: splunk
- technicques:
- T1218
- T1218.003
Description
The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process.
Detection logic
`sysmon` EventCode=7 ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*"))
| stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `cmlua_or_cmstplua_uac_bypass_filter`