title: CMSTP Execution Process Creation
author: Nik Seetharaman
date: 2018/07/16
description: Detects various indicators of Microsoft Connection Manager Profile Installer
    execution
detection:
    SELECTION_1:
        EventID: 1
    SELECTION_2:
        ParentImage: '*\cmstp.exe'
    condition: (SELECTION_1 and SELECTION_2)
falsepositives:
- Legitimate CMSTP use (unlikely in modern enterprise environments)
fields:
- CommandLine
- ParentCommandLine
- Details
id: 7d4cdc5a-0076-40ca-aac8-f7e714570e47
level: high
logsource:
    category: process_creation
    product: windows
modified: 2020/12/23
references:
- https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
status: stable
tags:
- attack.defense_evasion
- attack.execution
- attack.t1191
- attack.t1218.003
- attack.g0069
- car.2019-04-001
yml_filename: sysmon_cmstp_execution_by_creation.yml
yml_path: /Users/user/Documents/YamatoSecurity/sigma/rules/windows/process_creation