bypass UAC via ICMLuaUtil

rule:
  meta:
    name: bypass UAC via ICMLuaUtil
    namespace: host-interaction/uac/bypass
    authors:
      - anamaria.martinezgom@mandiant.com
    scopes:
      static: function
      dynamic: thread
    att&ck:
      - Defense Evasion::Abuse Elevation Control Mechanism::Bypass User Account Control [T1548.002]
    references:
      - https://gist.github.com/hfiref0x/196af729106b780db1c73428b5a5d68d
    examples:
      - 08ac667c65d36d6542917655571e61c8.exe_:0x406831
  features:
    - and:
      - or:
        - string: "{3E5FC7F9-9A51-4367-9063-A120244FBEC7}"
          description: T_CLSID_CMSTPLUA
        - bytes: F9 C7 5F 3E 51 9A 67 43 90 63 A1 20 24 4F BE C7 = T_CLSID_CMSTPLUA
      - optional:
        - or:
          - api: ole32.CoGetObject
          - or:
            - string: "{6EDD6D74-C007-4E75-B76A-E5740995E24C}"
              description: IID_ICMLuaUtil
            - bytes: 74 6D DD 6E 07 C0 75 4E B7 6A E5 74 09 95 E2 4C = IID_ICMLuaUtil