From f43c63475d710a44ae1b9fd576dfc1b04af04862 Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Tue, 22 Sep 2020 16:08:08 -0500
Subject: [PATCH] added CMSTPLUA COM UAC bypass

---
 DefenseEvasion.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/DefenseEvasion.md b/DefenseEvasion.md
index 718697e..0fdd500 100644
--- a/DefenseEvasion.md
+++ b/DefenseEvasion.md
@@ -26,6 +26,12 @@ Detection of UAC bypass through tampering with Shell Open for .ms-settings or .m
 SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine ContainsCIS "mscfile\shell\open\command"
 ```
 
+To further UAC bypass detection, the below query will detect CMSTPLUA COM interface abuse by GUID and can be combined with the above. See [Security-in-bits](https://www.securityinbits.com/malware-analysis/uac-bypass-analysis-stage-1-ataware-ransomware-part-2/#footnote) for more.
+
+```
+TgtProcDisplayName = "COM Surrogate" AND TgtProcCmdLine ContainsCIS "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
+```
+
 ### T1218.003 CMSTP
 Atomics: [T1218.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md)