SigmaHQ/rules/windows/sysmon/sysmon_cmstp_execution.yml

action: global
title: CMSTP Execution
id: 9d26fede-b526-4413-b069-6e24b6d07167
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
tags:
    - attack.defense_evasion
    - attack.execution
    - attack.t1191          # an old one
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
author: Nik Seetharaman
date: 2018/07/16
modified: 2020/08/28
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
detection:
    condition: 1 of them
fields:
    - CommandLine
    - ParentCommandLine
    - Details
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
---
logsource:
    product: windows
    service: sysmon
detection:
    # Registry Object Add
    selection2:
        EventID: 12
        TargetObject: '*\cmmgr32.exe*'
        EventType: 'CreateKey'
    # Registry Object Value Set
    selection3:
        EventID: 13
        TargetObject: '*\cmmgr32.exe*'
    # Process Access Call Trace
    selection4:
        EventID: 10
        CallTrace: '*cmlua.dll*'
---
logsource:
    category: process_creation
    product: windows
detection:
    # CMSTP Spawning Child Process
    selection1:
        ParentImage: '*\cmstp.exe'
Converted to use the new process_creation data source 2019-03-09 17:57:59 +00:00			`action: global`
Add sysmon_cmstp_execution 2018-07-15 23:53:41 +00:00			`title: CMSTP Execution`
Added UUIDs to rules 2019-11-12 22:12:27 +00:00			`id: 9d26fede-b526-4413-b069-6e24b6d07167`
Removed duplicate status field 2018-07-16 21:55:31 +00:00			`status: stable`
Add sysmon_cmstp_execution 2018-07-15 23:53:41 +00:00			`description: Detects various indicators of Microsoft Connection Manager Profile Installer execution`
Further ATT&CK tagging 2018-07-19 21:36:13 +00:00			`tags:`
			`- attack.defense_evasion`
			`- attack.execution`
review windows/sysmon 2020-08-29 00:03:28 +00:00			`- attack.t1191 # an old one`
			`- attack.t1218.003`
Further ATT&CK tagging 2018-07-19 21:36:13 +00:00			`- attack.g0069`
First Pass 2019-06-14 04:15:38 +00:00			`- car.2019-04-001`
Add sysmon_cmstp_execution 2018-07-15 23:53:41 +00:00			`author: Nik Seetharaman`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`date: 2018/07/16`
review windows/sysmon 2020-08-29 00:03:28 +00:00			`modified: 2020/08/28`
Add sysmon_cmstp_execution 2018-07-15 23:53:41 +00:00			`references:`
fix: broken links 2020-07-03 09:22:06 +00:00			`- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/`
Converted to use the new process_creation data source 2019-03-09 17:57:59 +00:00			`detection:`
			`condition: 1 of them`
			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
			`- Details`
			`falsepositives:`
			`- Legitimate CMSTP use (unlikely in modern enterprise environments)`
			`level: high`
			`---`
Add sysmon_cmstp_execution 2018-07-15 23:53:41 +00:00			`logsource:`
			`product: windows`
			`service: sysmon`
			`detection:`
			`# Registry Object Add`
			`selection2:`
			`EventID: 12`
			`TargetObject: '\cmmgr32.exe'`
filter on createkey only when needed 2020-05-22 14:37:00 +00:00			`EventType: 'CreateKey'`
Add sysmon_cmstp_execution 2018-07-15 23:53:41 +00:00			`# Registry Object Value Set`
			`selection3:`
			`EventID: 13`
			`TargetObject: '\cmmgr32.exe'`
			`# Process Access Call Trace`
			`selection4:`
			`EventID: 10`
			`CallTrace: 'cmlua.dll'`
Converted to use the new process_creation data source 2019-03-09 17:57:59 +00:00			`---`
			`logsource:`
			`category: process_creation`
			`product: windows`
			`detection:`
			`# CMSTP Spawning Child Process`
			`selection1:`
fix: fixed missing date fields in remaining files 2020-01-30 15:07:37 +00:00			`ParentImage: '*\cmstp.exe'`