{
	"id": "c7f71546-ce19-4083-bbbe-9bd2d5219ece",
	"created_at": "2026-04-06T00:18:15.813722Z",
	"updated_at": "2026-04-10T13:12:44.458786Z",
	"deleted_at": null,
	"sha1_hash": "59e41ebe8277877f1336a77083dcc48a32be8618",
	"title": "Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon. – Endur@nt",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 834807,
	"plain_text": "Detecting CMSTP-Enabled Code Execution and UAC Bypass With\r\nSysmon. – Endur@nt\r\nPublished: 2018-07-07 · Archived: 2026-04-05 21:53:11 UTC\r\nBy Nik Seetharaman\r\nTLDR\r\nAn old Microsoft tool is able to be weaponized in several ways and reportedly used by at least one nation state\r\nactor. I explore ways for defenders to detect it’s abuse.\r\nBackground\r\nAs I was perusing MITRE’s ATT\u0026CK framework the other day to learn about techniques I’m less familiar with, I\r\ncame across the ambiguous-sounding CMSTP (T1191 in ATT\u0026CK) which MITRE states can be used for UAC\r\nBypass and code execution. Being that it’s also allegedly been used by a nation-state actor recently, I wanted to\r\nresearch potential detection strategies and wrap my head around possible blind spots.\r\nInitial research yielded that CMSTP is an old remote access configuration tool that comes with a config wizard\r\ncalled the Config Manager Admin Kit. This wizard spits out, among other things, an INF configuration file that’s\r\nable to be weaponized along various dimensions.\r\nInvoking the weaponized INF with CMSTP results in the ability to run both arbitrary scripts (local and remote)\r\nand bypass User Account Control to elevate security contexts from medium to high integrity.\r\nBeing that CMSTP is a legitimate signed Microsoft binary living in the System32 directory, the implication is an\r\nattacker could land on a system, utilize CMSTP to bypass poorly configured application whitelisting, and obtain\r\nelevated command shells or pull down arbitrary code remotely via WEBDAV.\r\nFor more background reading, Oddvar Moe wrote up some great research into how CMSTP works, which gave\r\nme a good baseline to build on.\r\nThis post will explore various considerations in trying to detect CMSTP exploitation along these various axes\r\nusing Windows Sysinternals’ Sysmon tool configured with Swift on Security’s baseline configuration, found here.\r\nCMSTP Abuse Vectors\r\nI investigated detection strategies for three different categories of CMSTP abuse, all of which involve arbitrary\r\ncode execution and two of which allow for code execution with UAC bypass:\r\n1. Invoking weaponized .INF setup files to run local or remote .SCT scripts containing malicious VBScript or\r\nJScript code.\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 1 of 10\n\n2. Invoking weaponized .INF files to run local executables while enabling UAC bypass / elevating integrity\r\nlevels, allowing for spinup of elevated command shells.\r\n3. Direct utilization of the COM interfaces that CMSTP hooks into allowing for (slightly) stealthier UAC\r\nbypass.\r\nLet’s dive into the detections considerations for each of these methods.\r\nMethod 1 – INF-SCT Launch\r\nBohops wrote a great article with some background and context around INF-SCT fetch and execute techniques\r\nhere.\r\nThe gist is that the ‘UnRegisterOCXSection’ in the malicious INF file can be modified to invoke scrobj.dll and\r\nhave it execute either a local or remotely fetched .SCT script containing malicious VBScript or JScript code.\r\nLet’s take a look at an example (T1191.inf) pulled from the Atomic Red Team repo that maps to the CMSTP Mitre\r\nTechnique (T1191):\r\nExecuting the command “cmstp.exe /s t1191.inf” will pull down and execute the SCT script located at\r\nhttps://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1191/T1191.sct\r\nThat script (spawning what looks to be an Advanced Persistent Calculator) looks like so:\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 2 of 10\n\nDigging into the Sysmon logs in Event Viewer after running the command, we see several Sysmon events\r\ngenerated. Notice that the spawned calc.exe has c:\\windows\\system32\\cmstp.exe as the ParentImage and that the\r\nIntegrityLevel is Medium, i.e. no integrity elevation occurred.\r\nLet’s now take a look at the Sysmon 3 Network Connections. One of the connections looks to be to localhost over\r\na high number port. The other shows cmstp.exe as the Image calling out to 151.101.120.133 (Github) over 443.\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 3 of 10\n\nIt follows then, that potential Sysmon detection rules for Method 1 could be:\r\nSysmon Event 1 where ParentImage contains cmstp.exe\r\nSysmon Event 3 where Image contains cmstp.exe and DestinationIP is external\r\nMethod 2 – UAC Bypass via INF RunPreSetupCommandSection\r\nAs Odvar Moe found in his research, it turns out that the RegisterOCXSection of the INF file is not the only\r\nsection susceptible to weaponization. Looking at a different INF file generated by the Connection Manager Admin\r\nKit, it’s possible to insert arbitrary binaries for execution under the RunPreSetupCommandSection. In this case,\r\nwe’re spawning a command shell and then subsequently killing the cmstp executable.\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 4 of 10\n\nGetting this method to work on the command line is slightly different than in Method 1, requiring some new\r\noptions, making sure “All Users” is checked in a dialog box that pops up, and hitting OK.\r\nOnce done, we have our command shell. Notice that unlike the previous method, executables run in this fashion\r\nelevate their security context with no notice to the user, resulting in UAC Bypass. We’ll look at a stealthier way to\r\ndo this in Method 3 that doesn’t involve a popup.\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 5 of 10\n\nNote the Sysmon 12 and Sysmon 13 registry value add and value set events:\r\nSysmon 12 – Registry Object Added\r\nSysmon 13 – Registry Value Set\r\nDllhost.exe is creating the object cmmgr32.exe in the Sysmon 12 then setting the ProfileInstallPath value to\r\nC:\\ProgramData\\Microsoft\\Network\\Connections\\Cm in the subsequent Sysmon 13.\r\nLet’s take a look at the Sysmon 1 event where the cmd.exe was actually spawned:\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 6 of 10\n\nUnlike Method 1 where cmstp.exe was the ParentImage and the target binary was the child, here Dllhost.exe is the\r\nparent.\r\nWe see in the ParentCommandLine field that Dllhost.exe utilizes a ProcessID option with what appears to be some\r\nkind of GUID. To understand what that GUID is doing there, we’re going to rerun the attack but this time using a\r\nmodified Sysmon configuration that allows us to obtain Sysmon Event 10s (Process Access).\r\nTo limit the collection aperture for the Event 10s and avoid grinding the system to a halt, we’re going to follow\r\nTim Burrell’s great writeup here and set up Sysmon such that we’re pulling only those Sysmon 10 events\r\nrequesting highly privileged levels of process access or containing an “unknown” string in the CallTrace:\r\nWe’ll need to let Sysmon know to use the updated configuration by running:\r\nsysmon -c \u003cmodified_config.xml\u003e\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 7 of 10\n\nRe-running the attack, we see several additional Sysmon 10 events. One of them in particular, where Dllhost.exe\r\naccesses the TargetImage cmd.exe, is interesting.\r\nNote the CallTrace data. One of the DLLs called was cmlua.dll – which @hFireF0X has called out as containing\r\nan autoelevated COM interface called CMLUAUTIL. We’ll see CMLUAUTIL again when we get to Method 3.\r\nFor now, let’s recap our potential detections for Method 2:\r\nSysmon 1 where ParentImage contains dllhost.exe and Image contains cmd.exe (a strategy which may\r\nproduce lots of noise and not bracket you to a CMSTP exploit)\r\nSysmon 10 where CallTrace contains cmlua.dll\r\nSysmon 12 or 13 where TargetObject contains cmmgr32.exe\r\nMethod 3 – UAC Bypass via Direct Utilization of COM Interfaces.\r\nAs @hFireF0X stated in his tweet, cmlua.dll references the autoelevated COM interfaces CMLUAUTIL and\r\nCMSTPLUA via cmlua.dll and cmstplua.dll respectively. In his UAC Bypass project UACME\r\n(https://github.com/hfiref0x/UACME) there are several methods enumerated to execute bypass, however #41\r\ncontains a proof of concept to execute the same attack we saw in Method 2, except instead of dealing with the\r\ncmstp.exe executable, it’s popup dialog, and relying on the DLLs to interface with the COM interfaces, we\r\ninterface with them directly.\r\nWhat’s the potential impact on our Sysmon visibility if one were to utilize this method?\r\nTo execute this UACME-powered attack as of July 2018, we’ll need to grab a previous commit of the UACME\r\nrepo with the “Compiled” and “Source” directories still in place (he’s removed the executable we need for\r\nwhatever reason – so grab a commit from May or June of 2018). Under the Compiled directory, let’s run\r\n“Akagi32.exe 41.”\r\nIf we navigate back to the Sysmon 10 event that we analyzed in Method 2 where Dllhost.exe accessed cmd.exe\r\nand look at the CallTrace, there is NO mention of cmlua.dll. Also note that there are NO Sysmon 12 or 13 events.\r\nThis indicates that looking for cmlua.dll or registry adds / mods is potentially brittle:\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 8 of 10\n\nNo cmlua.dll to be found…\r\nLet’s revisit the Sysmon 1 event where dllhost.exe spawned cmd.exe. It turns out that the GUID we see in the\r\nParentCommandLine field is actually the Class ID for the COM object we’re hooking into, in this case\r\nautoelevate-capable CMSTPLUA.\r\nA potential way forward then for detecting both Method 2 and 3 is to alert on dllhost.exe in the\r\nParentCommandLine along with the GUID of CMSTPLUA:\r\nSysmon 1 where ParentCommandLine contains dllhost.exe and contains GUID for CMSTPLUA COM\r\nobject (3E5FC7F9-9A51-4367-9063-A120244FBEC7)\r\nI’ll need to do further research to figure out how this might be further obfuscated by an adversary but it could be a\r\ngood base.\r\nTo summarize, CMSTP and it’s dependencies are capable of facilitating a few different methods of code execution\r\nand UAC bypass, each with it’s own detection nuances and footprint. Note that before deploying any of these\r\ndetections to production, it’s important to baseline what’s happening on your network and develop a hypothesis\r\naround why implementing any of these will produce high signal / low false positive rate for you.\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 9 of 10\n\nSource: https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nhttps://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/"
	],
	"report_names": [
		"detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon"
	],
	"threat_actors": [],
	"ts_created_at": 1775434695,
	"ts_updated_at": 1775826764,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/59e41ebe8277877f1336a77083dcc48a32be8618.pdf",
		"text": "https://archive.orkl.eu/59e41ebe8277877f1336a77083dcc48a32be8618.txt",
		"img": "https://archive.orkl.eu/59e41ebe8277877f1336a77083dcc48a32be8618.jpg"
	}
}