HUNTS- CMSTP (T1191)
HUNTS- CMSTP (T1191)
ATT&CK Technique: CMSTP (T1191)
What this playbook hunts for:
-
Processes spawned by cmstp.exe. Cmstp.exe can be used to load malicious .inf files which can execute DLLs and COM objects, enabling an attacker to execute malicious code. Cmstp.exe is an example of a Living of the Land (LOL) binary, which are native Windows executables that are rarely blocked by Applocker or anti-virus software.
How the playbook works:
-
Generates SIEM query for Sysmon Event ID 1 logs where cmstp.exe is the parent process of an executed file
What results are expected:
-
Name, process ID, and path of the process spawned by cmstp.exe.
-
Command line arguments for cmstp.exe and its child process
-
MD5 hash of the process spawned by cmstp.exe
-
Child process spawn time
-
Hostname of the computer where cmstp.exe was executed
-
User account that was used to execute cmstp.exe
Common follow-on actions:
-
Acquire forensic image
-
Sandbox file
-
Get running processes
-
Get network connections
-
Quarantine host
What inputs are necessary:
-
SIEM
-
Logs: Sysmon Event ID 1: Process creation
-
Hunt start time
What subroutine playbooks are needed:
-
Create and Link Alerts from Hunt (Host-based)
What configurations are needed:
-
Sysmon logging enabled
False Positive Potential: Low
-
Execution of cmstp.exe is uncommon on most networks. Child processes spawned by cmstp.exe are even more uncommon and should absolutely be investigated if observed.