legitimate windows application that are not on the list loading this dll. filter as needed.

t1218
t1218.003
endpoint
splunk

Techniques

T1218
T1218.003

Sample rules

CMLUA Or CMSTPLUA UAC Bypass

source: splunk
technicques:
- T1218
- T1218.003

Description

The following analytic detects a potential process using COM Object like CMLUA or CMSTPLUA to bypass UAC. This technique has been used by ransomware adversaries to gain administrative privileges to its running process.

Detection logic

`sysmon` EventCode=7  ImageLoaded IN ("*\\CMLUA.dll", "*\\CMSTPLUA.dll", "*\\CMLUAUTIL.dll") NOT(process_name IN("CMSTP.exe", "CMMGR32.exe")) NOT(Image IN("*\\windows\\*", "*\\program files*")) 
| stats count min(_time) as firstTime max(_time) as lastTime by dest Image ImageLoaded process_name EventCode Signed ProcessId 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `cmlua_or_cmstplua_uac_bypass_filter`