← Back to Explore
sigmahighHunting
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
Detection Query
selection_img:
- Image|endswith: \cmstp.exe
- OriginalFileName: CMSTP.EXE
selection_cli:
CommandLine|contains:
- /s
- -s
- /au
- -au
- /ni
- -ni
condition: all of selection*
Author
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
Created
2019-10-24
Data Sources
windowsProcess Creation Events
Platforms
windows
References
Tags
attack.privilege-escalationattack.defense-evasionattack.t1548.002attack.t1218.003
Raw Content
title: Bypass UAC via CMSTP
id: e66779cc-383e-4224-a3a4-267eeb585c40
status: test
description: Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
references:
- https://eqllib.readthedocs.io/en/latest/analytics/e584f1a1-c303-4885-8a66-21360c90995b.html
- https://github.com/redcanaryco/atomic-red-team/blob/f339e7da7d05f6057fdfcdd3742bfcf365fee2a9/atomics/T1218.003/T1218.003.md
- https://lolbas-project.github.io/lolbas/Binaries/Cmstp/
author: E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.community
date: 2019-10-24
modified: 2022-08-30
tags:
- attack.privilege-escalation
- attack.defense-evasion
- attack.t1548.002
- attack.t1218.003
logsource:
category: process_creation
product: windows
detection:
selection_img:
- Image|endswith: '\cmstp.exe'
- OriginalFileName: 'CMSTP.EXE'
selection_cli:
CommandLine|contains:
- '/s'
- '-s'
- '/au'
- '-au'
- '/ni'
- '-ni'
condition: all of selection*
falsepositives:
- Legitimate use of cmstp.exe utility by legitimate user
level: high