detection.wiki

System Binary Proxy Execution: CMSTP T1218.003

Tactic: Stealth

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Events covered

8 catalog events are tagged with this technique by at least one rule.

ProviderEventTitle
SysmonEvent ID 1Process creation
SysmonEvent ID 3Network connection
SysmonEvent ID 7Image loaded
SysmonEvent ID 10ProcessAccess
SysmonEvent ID 12RegistryEvent (Object create and delete)
SysmonEvent ID 13RegistryEvent (Value Set)
SysmonEvent ID 14RegistryEvent (Key and Value Rename)
Security-AuditingEvent ID 4688A new process has been created.

Authoring guide

Patterns shared across the 24 rules above: which fields they filter on, what specific values they look for, and what they exclude. The catalog normalizes field names across vendors so Sigma's Image, Elastic's process.name, and Splunk's process_name collapse into one row. Each rule contributes at most once per row.

Fields filtered most (21 distinct)

The fields most rules look at when detecting this technique. The How column shows the operators authors use (eq, wildcard, regex_match, match) and how often each appears. Sample values are concrete examples to start from, not an exhaustive list.

FieldRulesHowSample values
process_name11eq 10, ne 1bginfo.exe, arp.exe, atbroker.exe, cmstp.exe, cdb.exe
event.type10eq 9, ne 1start, deletion
EventID6eq 67, 1, 4688
Image6ends_with 3, in 2, wildcard 1\cmstp.exe, *\\program files*, *\\windows\\*, *\\wbem\\*, ?:\users\*\appdata\*.exe
ImageLoaded5in 3, ends_with 2, contains 1*\\cmlua.dll, *\\cmluautil.dll, *\\cmstplua.dll, *\\fastprox.dll, *\\mozglue.dll
parent_process_name5eq 5AcroRd32.exe, Acrobat.exe, FoxitPhantomPDF.exe, cmd.exe, cmstp.exe
CommandLine3regex_match 2, contains 1(?i)cmstp|\s+\/s\s+.+\.inf|\s+\/ni\s+.{4,}|\s+\/ns\s+.{4,}, -au, -ni, -s
ParentImage3ends_with 2, eq 1?:\program files (x86)\teamcity\jre\bin\java.exe, ?:\program files\teamcity\jre\bin\java.exe, ?:\teamcity\buildagent\jre\bin\java.exe, \cmstp.exe, \dllhost.exe
process.args3eq 2, starts_with 1-n, /s, C:\$Recycle.Bin\, C:\AMD\Temp\, C:\Intel\
Type2eq 2
CallTrace1contains 1cmlua.dll
EventType1eq 1start
Initiated1eq 1true
IntegrityLevel1eq 1High, System
OriginalFileName1eq 1cmstp.exe

Top indicator values (221 distinct)

Specific (field, operator, value) combinations the rules check for, ranked by how many rules under this technique use each one. The Corpus reach column counts how many rules across the entire catalog (any technique) check the same combination. High numbers point to widely-used indicators that are likely noisy on their own; combine them with another condition for useful signal. Blank means the combination is specific to rules under this technique. Click a value to expand the rules under this technique that use it.

FieldKindValueRules (here)Corpus reach
event.typeeq
start
9606
process_nameeq
cmstp.exe
810
process_nameeq
ieexec.exe
78
process_nameeq
iexpress.exe
78
process_nameeq
installutil.exe
718
process_nameeq
microsoft.workflow.compiler.exe
78
process_nameeq
mshta.exe
731
process_nameeq
regsvr32.exe
725
process_nameeq
wscript.exe
729
process_nameeq
bginfo.exe
66
process_nameeq
cdb.exe
67
process_nameeq
cscript.exe
625
process_nameeq
csi.exe
66
process_nameeq
dnx.exe
66
process_nameeq
fsi.exe
66
process_nameeq
msxsl.exe
69
process_nameeq
odbcconf.exe
610
process_nameeq
powershell.exe
6104
process_nameeq
rcsi.exe
66
process_nameeq
regasm.exe
611
process_nameeq
regsvcs.exe
610
process_nameeq
xwizard.exe
69
process_nameeq
certutil.exe
522
process_nameeq
cmd.exe
577
process_nameeq
ping.exe
59
process_nameeq
pwsh.exe
562
process_nameeq
wmic.exe
547
process_nameeq
arp.exe
48
process_nameeq
atbroker.exe
45
EventIDeq
7
439

Exclusions (119 distinct)

Field/operator/value combinations excluded by rules under this technique (top-level not() clauses), sorted by how many rules exclude each. These are the false-positive paths the community has learned to filter out. A new rule that ignores the high-count entries here will likely fire on the same noisy paths. Click a value to expand the rules under this technique that exclude it.

FieldKindValueRules excluding
process_nameeq
cmd.exe
2
process_nameeq
powershell.exe
2
process_nameeq
regsvr32.exe
2
process_nameeq
rundll32.exe
2
CommandLineeq
driver\DPInst_x64 /f
1
CurrentDirectorywildcard
?:\Users\*\AppData\Local\Temp\BackupBootstrapper\Logs\
1
CurrentDirectorywildcard
?:\Users\*\AppData\Local\Temp\QBTools\
1
CurrentDirectorywildcard
?:\Windows\TempInst\*
1
Imagein
*\\program files*
1
Imagein
*\\windows\\*
1
OriginalFileNameeq
dpinst.exe
1
ParentCommandLinecontains
screenconnectconfigurator.cmd
1
ParentImagewildcard
?:\program files (x86)\ossec-agent\wazuh-agent.exe
1
ParentImagewildcard
?:\windows\system32\igfxcuiservice.exe
1
ParentImagewildcard
?:\windows\system32\oobe\windeploy.exe
1

Rules under this technique

Every rule in the catalog tagged with this technique, grouped by vendor. Click a rule title for its full predicates, exclusions, and indicators.

Platform (all)
Domain (all)

Sigma 7 rules

Elastic 11 rules

Splunk 6 rules