action: global title: CMSTP Execution id: 9d26fede-b526-4413-b069-6e24b6d07167 status: stable description: Detects various indicators of Microsoft Connection Manager Profile Installer execution tags: - attack.defense_evasion - attack.execution - attack.t1191 - attack.g0069 - car.2019-04-001 author: Nik Seetharaman date: 2018/07/16 references: - http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/ fields: - CommandLine - ParentCommandLine - Details falsepositives: - Legitimate CMSTP use (unlikely in modern enterprise environments) level: high --- logsource: category: process_creation,registry_event product: windows detection: # Registry Object Add selection2: TargetObject: '*\cmmgr32.exe*' EventType: 'CreateKey' # Registry Object Value Set selection3: TargetObject: '*\cmmgr32.exe*' # Process Access Call Trace selection4: CallTrace: '*cmlua.dll*' condition: 1 of them --- detection: # CMSTP Spawning Child Process selection1: ParentImage: '*\cmstp.exe' condition: 1 of them logsource: category: process_creation product: windows