sigma-rules/rules_building_block/defense_evasion_cmstp_execution.toml

[metadata]
creation_date = "2023/08/24"
integration = ["endpoint"]
maturity = "production"
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
min_stack_version = "8.3.0"
updated_date = "2023/08/24"

[rule]
author = ["Elastic"]
description = """
The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program to install Connection Manager
service profiles, which accept installation information file (INF) files. Adversaries may abuse CMSTP to proxy the
execution of malicious code by supplying INF files that contain malicious commands.
"""
from = "now-119m"
interval = "60m"
index = ["logs-endpoint.events.*"]
language = "eql"
license = "Elastic License v2"
name = "Potential Defense Evasion via CMSTP.exe"
references = [
    "https://attack.mitre.org/techniques/T1218/003/",
]
risk_score = 21
rule_id = "bd3d058d-5405-4cee-b890-337f09366ba2"
severity = "low"
tags = ["Domain: Endpoint", "OS: Windows", "Use Case: Threat Detection", "Tactic: Defense Evasion", "Data Source: Elastic Defend", "Rule Type: BBR"]
timestamp_override = "event.ingested"
building_block_type = "default"
type = "eql"

query = '''
process where host.os.type == "windows" and event.type == "start" and
  process.name : "cmstp.exe" and process.args == "/s"
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1218"
name = "System Binary Proxy Execution"
reference = "https://attack.mitre.org/techniques/T1218/"
[[rule.threat.technique.subtechnique]]
id = "T1218.003"
name = "CMSTP"
reference = "https://attack.mitre.org/techniques/T1218/003/"



[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"