Detectionhighstable
CMSTP UAC Bypass via COM Object Access
Detects UAC Bypass Attempt Using Microsoft Connection Manager Profile Installer Autoelevate-capable COM Objects (e.g. UACMe ID of 41, 43, 58 or 65)
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Nik Seetharaman, Christian Burkard (Nextron Systems)Created Wed Jul 31Updated Sun Dec 014b60e6f2-bf39-47b4-b4ea-398e33cfe253windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic1 selector
detection:
selection:
ParentImage|endswith: '\DllHost.exe'
ParentCommandLine|contains:
- ' /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}' # cmstplua.dll
- ' /Processid:{3E000D72-A845-4CD9-BD83-80C07C3B881F}' # CMLUAUTIL
- ' /Processid:{BD54C901-076B-434E-B6C7-17C531F4AB41}' # EditionUpgradeManagerObj.dll
- ' /Processid:{D2E7041B-2927-42FB-8E9F-7CE93B6DC937}' # colorui.dll
- ' /Processid:{E9495B87-D950-4AB5-87A5-FF6D70BF3E90}' # wscui.cpl
IntegrityLevel:
- 'High'
- 'System'
- 'S-1-16-16384' # System
- 'S-1-16-12288' # High
condition: selectionFalse Positives
Legitimate CMSTP use (unlikely in modern enterprise environments)
MITRE ATT&CK
Sub-techniques
Groups
CAR Analytics
2019-04-001 · CAR 2019-04-001
Rule Metadata
Rule ID
4b60e6f2-bf39-47b4-b4ea-398e33cfe253
Status
stable
Level
high
Type
Detection
Created
Wed Jul 31
Modified
Sun Dec 01
Path
rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp_com_object_access.yml
Raw Tags
attack.executionattack.defense-evasionattack.privilege-escalationattack.t1548.002attack.t1218.003attack.g0069car.2019-04-001