Detectionhightest
Bypass UAC via CMSTP
Detect commandline usage of Microsoft Connection Manager Profile Installer (cmstp.exe) to install specially formatted local .INF files
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
E.M. Anhaus (originally from Atomic Blue Detections, Endgame), oscd.communityCreated Thu Oct 24Updated Tue Aug 30e66779cc-383e-4224-a3a4-267eeb585c40windows
Log Source
WindowsProcess Creation
ProductWindows← raw: windows
CategoryProcess Creation← raw: process_creation
Events generated when a new process is spawned on the system. Covers command-line arguments, parent/child relationships, and process metadata.
Detection Logic
Detection Logic2 selectors
detection:
selection_img:
- Image|endswith: '\cmstp.exe'
- OriginalFileName: 'CMSTP.EXE'
selection_cli:
CommandLine|contains:
- '/s'
- '-s'
- '/au'
- '-au'
- '/ni'
- '-ni'
condition: all of selection*False Positives
Legitimate use of cmstp.exe utility by legitimate user
MITRE ATT&CK
Rule Metadata
Rule ID
e66779cc-383e-4224-a3a4-267eeb585c40
Status
test
Level
high
Type
Detection
Created
Thu Oct 24
Modified
Tue Aug 30
Path
rules/windows/process_creation/proc_creation_win_uac_bypass_cmstp.yml
Raw Tags
attack.privilege-escalationattack.defense-evasionattack.t1548.002attack.t1218.003