CMSTP can be used to install .inf malicious code to run pre-installation
Detects the execution of CMSTP that is used install fake Connection Manager Profiles via contains via .INF files that resign on a temp location on disk and contains instructions for how the Connection Manager should install the profile. The .INF files could contain malicious code under the section RunPreSetupCommandsSection which is the commands to run before setup.
Sigma rule (View on GitHub)
1title: CMSTP can be used to install .inf malicious code to run pre-installation
2description: Detects the execution of CMSTP that is used install fake Connection Manager Profiles via contains via .INF files that resign on a temp location on disk and contains instructions for how the Connection Manager should install the profile. The .INF files could contain malicious code under the section RunPreSetupCommandsSection which is the commands to run before setup.
3status: experimental
4date: 2023/08/10
5author: \@kostastsale
6references:
7 -
8logsource:
9 category: process_creation
10 product: windows
11detection:
12 selection1:
13 Image|endswith:
14 - '\cmstp.exe'
15 CommandLine|contains|all:
16 - ' /au '
17 - '\AppData\Local\Temp\'
18 CommandLine|endswith:
19 - '.inf'
20 condition: selection1
21falsepositives:
22 - Unlikely
23level: high
24tags:
25 - attack.Defense Evasion
26 - attack.T1218
Related rules
- Wrmgr.exe spawning without command line arguments
- Dumpbin LOLBin use for proxying execution via link.exe
- MSTeams exe side-loading - Update.exe