rules/windows/process_access/sysmon_cmstp_execution.yml

title: CMSTP Execution Process Access
id: 3b4b232a-af90-427c-a22f-30b0c0837b95
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
tags:
    - attack.defense_evasion
    - attack.t1218.003
    - attack.t1191  # an old one
    - attack.execution
    - attack.t1559.001
    - attack.t1175  # an old one
    - attack.g0069
    - attack.g0080
    - car.2019-04-001
author: Nik Seetharaman
date: 2018/07/16
modified: 2020/12/23
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
fields:
    - CommandLine
    - ParentCommandLine
    - Details
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high
logsource:
    product: windows
    category: process_access
detection:
    # Process Access Call Trace
    selection:
        CallTrace|contains: 'cmlua.dll*'
    condition: selection
Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00			`title: CMSTP Execution Process Access`
			`id: 3b4b232a-af90-427c-a22f-30b0c0837b95`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`status: stable`
			`description: Detects various indicators of Microsoft Connection Manager Profile Installer execution`
			`tags:`
			`- attack.defense_evasion`
windows/process_access folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:03:06 +00:00			`- attack.t1218.003`
			`- attack.t1191 # an old one`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`- attack.execution`
windows/process_access folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:03:06 +00:00			`- attack.t1559.001`
added missing ATT&CK v6.3 IDs with comments and removed unnecessary "modified" attributes 2020-08-25 23:51:22 +00:00			`- attack.t1175 # an old one`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`- attack.g0069`
windows/process_access folder reviewed. Old ID’s marked with comment “an old one”. These ID’s have to be removed in future. 2020-08-23 02:03:06 +00:00			`- attack.g0080`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`- car.2019-04-001`
			`author: Nik Seetharaman`
			`date: 2018/07/16`
Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00			`modified: 2020/12/23`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`references:`
fix: broken links 2020-07-03 11:22:06 +02:00			`- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`fields:`
			`- CommandLine`
			`- ParentCommandLine`
			`- Details`
			`falsepositives:`
			`- Legitimate CMSTP use (unlikely in modern enterprise environments)`
			`level: high`
			`logsource:`
			`product: windows`
Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00			`category: process_access`
Added rules files split into folders 2020-06-10 16:32:30 +02:00			`detection:`
			`# Process Access Call Trace`
Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00			`selection:`
Merge branch 'oscd' 2021-03-02 22:48:55 +03:00			`CallTrace\|contains: 'cmlua.dll*'`
Split up cmstp rule into 3 separate rules and remove duplicates 2020-12-23 12:17:39 -05:00			`condition: selection`