CMSTP Execution Registry Event
Detects various indicators of Microsoft Connection Manager Profile Installer execution
Sigma rule (View on GitHub)
1title: CMSTP Execution Registry Event
2id: b6d235fc-1d38-4b12-adbe-325f06728f37
3status: stable
4description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
5references:
6 - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
7author: Nik Seetharaman
8date: 2018/07/16
9modified: 2020/12/23
10tags:
11 - attack.defense_evasion
12 - attack.execution
13 - attack.t1218.003
14 - attack.g0069
15 - car.2019-04-001
16logsource:
17 category: registry_event
18 product: windows
19detection:
20 selection:
21 TargetObject|contains: '\cmmgr32.exe'
22 condition: selection
23fields:
24 - CommandLine
25 - ParentCommandLine
26 - Details
27falsepositives:
28 - Legitimate CMSTP use (unlikely in modern enterprise environments)
29level: high
References
-
COLLECTED BY Organization: Alexa Crawls Starting in 1996, Alexa Internet has been donating their crawl data to the Internet Archive. Flowing in every day, these data are added to the Wayback Machin...
Read More
Related rules
- Using powershell specific download cradle OneLiner
- Disable Security Events Logging Adding Reg Key MiniNt
- RedMimicry Winnti Playbook Registry Manipulation
- Registry Entries For Azorult Malware
- Wdigest CredGuard Registry Modification