CMSTP Execution Process Creation
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Sigma rule (View on GitHub)
1title: CMSTP Execution Process Creation
2id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
3status: stable
4description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
5references:
6 - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
7author: Nik Seetharaman
8date: 2018-07-16
9modified: 2020-12-23
10tags:
11 - attack.defense-evasion
12 - attack.execution
13 - attack.t1218.003
14 - attack.g0069
15 - car.2019-04-001
16logsource:
17 category: process_creation
18 product: windows
19detection:
20 # CMSTP Spawning Child Process
21 selection:
22 ParentImage|endswith: '\cmstp.exe'
23 condition: selection
24fields:
25 - CommandLine
26 - ParentCommandLine
27 - Details
28falsepositives:
29 - Legitimate CMSTP use (unlikely in modern enterprise environments)
30level: high
References
-
COLLECTED BY Organization: Alexa Crawls Starting in 1996, Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the Wayback Machin...
Read More
Related rules
- CMSTP Execution Process Access
- CMSTP Execution Registry Event
- CMSTP UAC Bypass via COM Object Access
- Potential MuddyWater APT Activity
- AMSI Bypass Pattern Assembly GetType