Outbound Network Connection Initiated By Cmstp.EXE

calendar Aug 12, 2024 · attack.defense-evasion attack.t1218.003  ·
Share on: linkedin copy

Detects a network connection initiated by Cmstp.EXE Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.

Sigma rule (View on GitHub)

 1title: Outbound Network Connection Initiated By Cmstp.EXE
 2id: efafe0bf-4238-479e-af8f-797bd3490d2d
 3status: test
 4description: |
 5    Detects a network connection initiated by Cmstp.EXE
 6    Its uncommon for "cmstp.exe" to initiate an outbound network connection. Investigate the source of such requests to determine if they are malicious.    
 7references:
 8    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
 9author: Nasreddine Bencherchali (Nextron Systems)
10date: 2022-08-30
11modified: 2024-05-31
12tags:
13    - attack.defense-evasion
14    - attack.t1218.003
15logsource:
16    category: network_connection
17    product: windows
18detection:
19    selection:
20        Image|endswith: '\cmstp.exe'
21        Initiated: 'true'
22    filter_main_local_ranges:
23        DestinationIp|cidr:
24            - '127.0.0.0/8'
25            - '10.0.0.0/8'
26            - '172.16.0.0/12'
27            - '192.168.0.0/16'
28            - '169.254.0.0/16'
29            - '::1/128'  # IPv6 loopback
30            - 'fe80::/10'  # IPv6 link-local addresses
31            - 'fc00::/7'  # IPv6 private addresses
32    condition: selection and not 1 of filter_main_*
33falsepositives:
34    - Unknown
35# Note: Please report any false positive seen in the wild to help tune the rule.
36level: high

References

Related rules

to-top