CMSTP Execution Process Access
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Sigma rule (View on GitHub)
1title: CMSTP Execution Process Access
2id: 3b4b232a-af90-427c-a22f-30b0c0837b95
3status: stable
4description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
5references:
6 - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
7author: Nik Seetharaman
8date: 2018-07-16
9modified: 2021-06-27
10tags:
11 - attack.defense-evasion
12 - attack.t1218.003
13 - attack.execution
14 - attack.t1559.001
15 - attack.g0069
16 - attack.g0080
17 - car.2019-04-001
18logsource:
19 product: windows
20 category: process_access
21detection:
22 # Process Access Call Trace
23 selection:
24 CallTrace|contains: 'cmlua.dll'
25 condition: selection
26falsepositives:
27 - Legitimate CMSTP use (unlikely in modern enterprise environments)
28level: high
References
-
COLLECTED BY Organization: Alexa Crawls Starting in 1996, Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the Wayback Machin...
Read More
Related rules
- CMSTP Execution Process Creation
- CMSTP Execution Registry Event
- CMSTP UAC Bypass via COM Object Access
- DNS Query Request By Regsvr32.EXE
- Network Connection Initiated By Regsvr32.EXE