CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Sigma rule (View on GitHub)
1title: CMSTP Execution Registry Event
2id: b6d235fc-1d38-4b12-adbe-325f06728f37
3status: stable
4description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
5references:
6 - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
7author: Nik Seetharaman
8date: 2018-07-16
9modified: 2020-12-23
10tags:
11 - attack.defense-evasion
12 - attack.execution
13 - attack.t1218.003
14 - attack.g0069
15 - car.2019-04-001
16logsource:
17 category: registry_event
18 product: windows
19detection:
20 selection:
21 TargetObject|contains: '\cmmgr32.exe'
22 condition: selection
23fields:
24 - CommandLine
25 - ParentCommandLine
26 - Details
27falsepositives:
28 - Legitimate CMSTP use (unlikely in modern enterprise environments)
29level: high
References
-
COLLECTED BY Organization: Alexa Crawls Starting in 1996, Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the Wayback Machin...
Read More
Related rules
- CMSTP Execution Process Access
- CMSTP Execution Process Creation
- CMSTP UAC Bypass via COM Object Access
- Potential MuddyWater APT Activity
- AMSI Bypass Pattern Assembly GetType