CMSTP installation of malicious code
Detects the execution of CMSTP that is used install fake Connection Manager Profiles via contains via .INF files that resign on a temp location on disk and contains instructions for how the Connection Manager should install the profile. The .INF files could contain malicious code under the section RunPreSetupCommandsSection which is the commands to run before setup.
Sigma rule (View on GitHub)
1title: CMSTP installation of malicious code
2id: 64a31e54-0cf3-4130-84c0-4ea972b88628
3description: Detects the execution of CMSTP that is used install fake Connection Manager Profiles via contains via .INF files that resign on a temp location on disk and contains instructions for how the Connection Manager should install the profile. The .INF files could contain malicious code under the section RunPreSetupCommandsSection which is the commands to run before setup.
4status: experimental
5date: 2023/08/10
6author: \@kostastsale
7references:
8 -
9logsource:
10 category: process_creation
11 product: windows
12detection:
13 selection1:
14 Image|endswith:
15 - '\cmstp.exe'
16 CommandLine|contains|all:
17 - ' /au '
18 - '\AppData\Local\Temp\'
19 CommandLine|endswith:
20 - '.inf'
21 condition: selection1
22falsepositives:
23 - Unlikely
24level: high
25tags:
26 - attack.Defense Evasion
27 - attack.T1218
Related rules
- Dumpbin LOLBin use for proxying execution via link.exe
- MSTeams exe side-loading - Update.exe
- Wermgr.exe spawning without command line arguments
- VSDiagnostics used for proxying execution malicious binaries