Potential UAC Bypass via Cmstp - Taskkill of Cmstp.exe

Rule Info

Name
Potential UAC Bypass via Cmstp - Taskkill of Cmstp.exe
Author
Swachchhanda Shrawan Poudel (Nextron Systems)
Description
Detects the execution of "taskkill /IM cmstp.exe /F" command which is hardcoded in INF files used for UAC bypass through LOLBAS cmstp.exe binary. Attackers may try to abuse the living off the land capability of the CMSTP utility to execute their malicious payloads. This technique is often used to evade detection and persist on the system.
Reference
https://app.any.run/tasks/9352d612-8eaa-4fac-8980-9bee27b96bce/?utm_source=linkedin&utm_medium=post&utm_campaign=cmstplua&utm_term=130225&utm_content=linktoservice
Date
2025-02-21 00:00:00
Modified
None
Id
4a988407-237c-48b8-9318-ca287154878c
Tags
attack.defense-evasion attack.t1218.003 attack.t1548.002
Type
Nextron Sigma feed only (private)

Rule History

THOR Logo  Scan your endpoints, forensic images or collected files with our portable scanner THOR
  Warning: Access to VALHALLA is rate-limited - once you prove unworthy, access gets denied
  Nextron Systems 2022