sigma-rules/rules_building_block/defense_evasion_cmstp_execution.toml

[metadata]
bypass_bbr_timing = true
creation_date = "2023/08/24"
integration = ["endpoint", "windows", "system"]
maturity = "production"
updated_date = "2025/03/20"

[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager
service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the
execution of malicious code by supplying INF files that contain malicious commands.
"""
from = "now-9m"
index = [
    "endgame-*",
    "logs-endpoint.events.process-*",
    "logs-system.security*",
    "logs-windows.sysmon_operational-*",
    "winlogbeat-*",
]
language = "eql"
license = "Elastic License v2"
name = "Potential Defense Evasion via CMSTP.exe"
references = ["https://attack.mitre.org/techniques/T1218/003/"]
risk_score = 21
rule_id = "bd3d058d-5405-4cee-b890-337f09366ba2"
severity = "low"
tags = [
    "Domain: Endpoint",
    "OS: Windows",
    "Use Case: Threat Detection",
    "Tactic: Defense Evasion",
    "Data Source: Elastic Defend",
    "Rule Type: BBR",
    "Data Source: Sysmon",
    "Data Source: Elastic Endgame",
    "Data Source: Windows Security Event Logs",
]
timestamp_override = "event.ingested"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
  process.name : "cmstp.exe" and process.args == "/s"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.003"
name = "CMSTP"
reference = "https://attack.mitre.org/techniques/T1218/003/"



[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"