sigmahighTTP

CMSTP Execution Registry Event

Detects various indicators of Microsoft Connection Manager Profile Installer execution

MITRE ATT&CK

defense-evasionexecution

Detection Query

selection:
  TargetObject|contains: \cmmgr32.exe
condition: selection

Author

Nik Seetharaman

Created

2018-07-16

Data Sources

windowsRegistry Events

Platforms

windows

References

https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/

Tags

attack.defense-evasionattack.executionattack.t1218.003attack.g0069car.2019-04-001

Raw Content

title: CMSTP Execution Registry Event
id: b6d235fc-1d38-4b12-adbe-325f06728f37
status: stable
description: Detects various indicators of Microsoft Connection Manager Profile Installer execution
references:
    - https://web.archive.org/web/20190720093911/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
author: Nik Seetharaman
date: 2018-07-16
modified: 2020-12-23
tags:
    - attack.defense-evasion
    - attack.execution
    - attack.t1218.003
    - attack.g0069
    - car.2019-04-001
logsource:
    category: registry_event
    product: windows
detection:
    selection:
        TargetObject|contains: '\cmmgr32.exe'
    condition: selection
falsepositives:
    - Legitimate CMSTP use (unlikely in modern enterprise environments)
level: high