Outbound Network Connection Initiated By Cmstp.EXE
Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
Sigma rule (View on GitHub)
1title: Outbound Network Connection Initiated By Cmstp.EXE
2id: efafe0bf-4238-479e-af8f-797bd3490d2d
3status: test
4description: |
5 Detects a network connection initiated by Cmstp.EXE
6 Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.
7references:
8 - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-08-30
11modified: 2024-05-31
12tags:
13 - attack.defense-evasion
14 - attack.t1218.003
15logsource:
16 category: network_connection
17 product: windows
18detection:
19 selection:
20 Image|endswith: '\cmstp.exe'
21 Initiated: 'true'
22 filter_main_local_ranges:
23 DestinationIp|cidr:
24 - '127.0.0.0/8'
25 - '10.0.0.0/8'
26 - '172.16.0.0/12'
27 - '192.168.0.0/16'
28 - '169.254.0.0/16'
29 - '::1/128' # IPv6 loopback
30 - 'fe80::/10' # IPv6 link-local addresses
31 - 'fc00::/7' # IPv6 private addresses
32 condition: selection and not 1 of filter_main_*
33falsepositives:
34 - Unknown
35# Note: Please report any false positive seen in the wild to help tune the rule.
36level: high
References
Related rules
- Bypass UAC via CMSTP
- CMSTP Execution Process Access
- CMSTP Execution Process Creation
- CMSTP Execution Registry Event
- DLL Loaded From Suspicious Location Via Cmspt.EXE