Bypass UAC via CMSTP

Rule type:

Correlation

Rule description:

Windows User Access Control (UAC) is a security feature provided by Microsoft Windows that allows a program to perform a task that requires administrator level permissions by elevating its privilege. This is done by prompting the users for consent to perform these actions.

Adversaries may attempt to bypass the UAC to elevate their privileges on the user's systems. They can achieve this through multiple ways one of them being Connection Manager Profile Installer (CMSTP.exe) which is a legitimate Windows component used to install Connection Manager profiles.

Impact:

It can impact the organizations in the following ways:

• Privelege Escalation
• Data Breaches
• Malware installation
• Unauthorized access to sensitive information

Data source:

Windows:

Required configuration: The rules is based on the process creation and termination. Prerequisites required are installing and configuring Sysmon, enabling audit process creation audit policy, and the command line auditing.

Relevant MITRE ATT&CK techniques and tactics:

Tactics: TA0004- Privilege Escalation, TA0005- Defense Evasion

Techniques: T1548- Abuse Elevation Control Mechanism

Sub Techniques: T1548.002- Bypass User Account Control

Criteria:

( Process name ends with "Windows\System32\cmstp.exe" OR Process name ends with "Windows\SysWow64\cmstp.exe" OR Process name ends with "WINNT\System32\cmstp.exe" ) AND ( Command line contains "s" OR Command line contains "au" OR Command line contains "ni" ) )

("Windows\System32\cmstp.exe" or "Windows\SysWow64\cmstp.exe", or "WINNT\System32\cmstp.exe")- This checks if the process name ends with 'cmstp.exe' and is located in either of these directories respectively- "Windows\System32", "Windows\SysWow64\" or "WINNT\System32".

Command Line Contains "s", "au", or "ni"- Attackers may use these strings to initiate malicious actions within CMSTP to bypass UAC.

When to enable this rule:

Enabling this rule will help you meet the security standards' requirements listed below:

Security standards (NIST CSF 2.0):

DE.CM-09: Computing hardware and software, runtime environments, and their data are monitored to find potentially adverse events

When this rule is triggered, you're notified when the CMSTP is used to bypass the UAC. This enables you to monitor the use of commands such as CMSTP.exe.

Known false positives: This event may generate when administrators legitimately install or remove a Connection Manager Profile.

Next steps:

When this alert is triggered, the following measures can be implemented:

• Identification: Identify the alert as a new incident or within an ongoing incident.
• Analysis: Analyze the impact and extent of the compromise to comprehend the severity of the attack.
• Response: Respond promptly by initiating an automated workflow to cease the malicious process.
• Deploy Access Controls: Implement access controls and permissions to restrict the execution of CMSTP by unauthorized users.