From e4c052154ddd98e57ebe85766e101ecc3dffd32b Mon Sep 17 00:00:00 2001
From: Daniel Masse <daniel.masse@arcticwolf.com>
Date: Wed, 23 Dec 2020 14:30:24 -0500
Subject: [PATCH] Remove unneeded file

---
 .../windows/sysmon/sysmon_cmstp_execution.yml | 52 -------------------
 1 file changed, 52 deletions(-)
 delete mode 100644 rules/windows/sysmon/sysmon_cmstp_execution.yml

diff --git a/rules/windows/sysmon/sysmon_cmstp_execution.yml b/rules/windows/sysmon/sysmon_cmstp_execution.yml
deleted file mode 100644
index 5bf2897cf..000000000
--- a/rules/windows/sysmon/sysmon_cmstp_execution.yml
+++ /dev/null
@@ -1,52 +0,0 @@
-action: global
-title: CMSTP Execution
-id: 9d26fede-b526-4413-b069-6e24b6d07167
-status: stable
-description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
-tags:
-    - attack.defense_evasion
-    - attack.execution
-    - attack.t1191          # an old one
-    - attack.t1218.003
-    - attack.g0069
-    - car.2019-04-001
-author: Nik Seetharaman
-date: 2018/07/16
-modified: 2020/08/28
-references:
-    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
-detection:
-    condition: 1 of them
-fields:
-    - CommandLine
-    - ParentCommandLine
-    - Details
-falsepositives:
-    - Legitimate CMSTP use (unlikely in modern enterprise environments)
-level: high
----
-logsource:
-    product: windows
-    service: sysmon
-detection:
-    # Registry Object Add
-    selection2:
-        EventID: 12
-        TargetObject: '*\cmmgr32.exe*'
-        EventType: 'CreateKey'
-    # Registry Object Value Set
-    selection3:
-        EventID: 13
-        TargetObject: '*\cmmgr32.exe*'
-    # Process Access Call Trace
-    selection4:
-        EventID: 10
-        CallTrace: '*cmlua.dll*'
----
-logsource:
-    category: process_creation
-    product: windows
-detection:
-    # CMSTP Spawning Child Process
-    selection1:
-        ParentImage: '*\cmstp.exe'