T1218.003 CMSTP Detection — KQL & SPL Queries for Sentinel and Splunk

Microsoft Sentinel / Defender

kusto

DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmstp.exe"
| extend AutoClose = ProcessCommandLine has_any ("/s", "/au")
| extend NoUserInteraction = ProcessCommandLine has_any ("/ns", "/ni")
| extend HasINF = ProcessCommandLine has ".inf"
| extend SuspiciousINFPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "ProgramData", "\\Users\\")
| extend RemoteLoad = ProcessCommandLine has_any ("http://", "https://")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AutoClose, NoUserInteraction, HasINF,
         SuspiciousINFPath, RemoteLoad, SuspiciousParent
| sort by Timestamp desc

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Microsoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives

Legitimate VPN client installations using CMSTP.exe to install Connection Manager profiles from Program Files
Enterprise network configuration deployment using CMSTP with signed INF files from controlled paths
IT administrators manually installing connection profiles via CMSTP for remote access setup
Legacy Windows Remote Access Service configurations deployed via CMSTP

Splunk

spl

index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
Image="*\\cmstp.exe"
| eval AutoClose=if(match(CommandLine, "(/s|/au)"), 1, 0)
| eval NoUI=if(match(CommandLine, "(/ns|/ni)"), 1, 0)
| eval HasINF=if(match(CommandLine, "\.inf"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|ProgramData|\\\\Users\\\\)"), 1, 0)
| eval RemoteLoad=if(match(CommandLine, "http[s]?://"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval RiskScore=AutoClose + NoUI + SuspiciousPath + RemoteLoad + SuspiciousParent
| where RiskScore > 0
| table _time, host, User, CommandLine, ParentImage, ParentCommandLine, AutoClose, NoUI, HasINF, SuspiciousPath, RemoteLoad, SuspiciousParent, RiskScore
| sort - _time

high severity high confidence

Data Sources

Process: Process Creation Command: Command Execution Sysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives

Legitimate VPN client installations using CMSTP.exe to install Connection Manager profiles from Program Files
Enterprise network configuration deployment using CMSTP with signed INF files from controlled paths
IT administrators manually installing connection profiles via CMSTP for remote access setup
Legacy Windows Remote Access Service configurations deployed via CMSTP

Elastic Security (EQL)

eql

process where event.type == "start"
  and process.name : "cmstp.exe"
  and (
    process.args : ("/s", "/au", "/ns", "/ni")
    or process.command_line : "*.inf*"
    or process.command_line : ("*http://*", "*https://*")
    or process.command_line : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*ProgramData*", "*\\Users\\*")
    or process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
  )

high severity high confidence

Data Sources

Windows Endpoint Logs Elastic Agent (Endpoint Security) Sysmon via Winlogbeat

Required Tables

logs-endpoint.events.process-* winlogbeat-*

False Positives

Legitimate VPN client installations using CMSTP to deploy Connection Manager profiles from corporate software deployment systems
IT administrators manually installing remote access profiles using CMSTP with silent flags (/s) from managed software repositories
Automated enterprise onboarding scripts invoking CMSTP from scripted parent processes such as cmd.exe or PowerShell with legitimate INF files from known paths

IBM QRadar (AQL)

sql

SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  "Process Name" AS "Process",
  "Command" AS "Command Line",
  "Parent Process" AS "Parent Process",
  CASE WHEN "Command" ILIKE '%/s%' OR "Command" ILIKE '%/au%' THEN 1 ELSE 0 END AS "AutoClose",
  CASE WHEN "Command" ILIKE '%/ns%' OR "Command" ILIKE '%/ni%' THEN 1 ELSE 0 END AS "NoUI",
  CASE WHEN "Command" ILIKE '%.inf%' THEN 1 ELSE 0 END AS "HasINF",
  CASE WHEN "Command" ILIKE '%temp%' OR "Command" ILIKE '%appdata%' OR "Command" ILIKE '%downloads%' OR "Command" ILIKE '%public%' OR "Command" ILIKE '%programdata%' THEN 1 ELSE 0 END AS "SuspiciousPath",
  CASE WHEN "Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' THEN 1 ELSE 0 END AS "RemoteLoad",
  CASE WHEN "Parent Process" ILIKE '%cmd.exe%' OR "Parent Process" ILIKE '%powershell.exe%' OR "Parent Process" ILIKE '%wscript.exe%' OR "Parent Process" ILIKE '%cscript.exe%' OR "Parent Process" ILIKE '%mshta.exe%' OR "Parent Process" ILIKE '%winword.exe%' OR "Parent Process" ILIKE '%excel.exe%' OR "Parent Process" ILIKE '%outlook.exe%' THEN 1 ELSE 0 END AS "SuspiciousParent",
  (
    CASE WHEN "Command" ILIKE '%/s%' OR "Command" ILIKE '%/au%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%/ns%' OR "Command" ILIKE '%/ni%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%temp%' OR "Command" ILIKE '%appdata%' OR "Command" ILIKE '%downloads%' OR "Command" ILIKE '%public%' OR "Command" ILIKE '%programdata%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' THEN 1 ELSE 0 END +
    CASE WHEN "Parent Process" ILIKE '%cmd.exe%' OR "Parent Process" ILIKE '%powershell.exe%' OR "Parent Process" ILIKE '%wscript.exe%' OR "Parent Process" ILIKE '%cscript.exe%' OR "Parent Process" ILIKE '%mshta.exe%' OR "Parent Process" ILIKE '%winword.exe%' OR "Parent Process" ILIKE '%excel.exe%' OR "Parent Process" ILIKE '%outlook.exe%' THEN 1 ELSE 0 END
  ) AS "RiskScore"
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 387)
  AND ("Process Name" ILIKE '%cmstp.exe%' OR "Command" ILIKE '%cmstp.exe%')
  AND starttime > NOW() - 86400000
  AND (
    CASE WHEN "Command" ILIKE '%/s%' OR "Command" ILIKE '%/au%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%/ns%' OR "Command" ILIKE '%/ni%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%temp%' OR "Command" ILIKE '%appdata%' OR "Command" ILIKE '%downloads%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' THEN 1 ELSE 0 END +
    CASE WHEN "Parent Process" ILIKE '%cmd.exe%' OR "Parent Process" ILIKE '%powershell.exe%' OR "Parent Process" ILIKE '%wscript.exe%' THEN 1 ELSE 0 END
  ) > 0
ORDER BY starttime DESC

high severity medium confidence

Data Sources

IBM QRadar SIEM Windows Security Event Log Microsoft Sysmon via QRadar DSM

Required Tables

events

False Positives

Legitimate VPN software deployment tools invoking CMSTP with /s and /au flags to silently install Connection Manager profiles across a fleet during onboarding
Enterprise MDM or SCCM deployment tasks running CMSTP from cmd.exe or PowerShell parent contexts with trusted INF files in ProgramData
Corporate IT automation scripts installing remote access profiles with HTTP-hosted INF files from internal software distribution servers

Sumo Logic CSE

sql

(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where _raw matches /(?i)cmstp\.exe/
| parse regex field=_raw "(?i)Image[:\s]+(?:[^\r\n]*\\\\)?(?P<process_image>[^\r\n\\]+)" nodrop
| parse regex field=_raw "(?i)CommandLine[:\s]+(?P<command_line>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)ParentImage[:\s]+(?:[^\r\n]*\\\\)?(?P<parent_image>[^\r\n\\]+)" nodrop
| parse regex field=_raw "(?i)ParentCommandLine[:\s]+(?P<parent_cmdline>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)User[:\s]+(?P<username>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:Hostname|Computer|ComputerName)[:\s]+(?P<hostname>[^\r\n]+)" nodrop
| where process_image matches /(?i)cmstp\.exe/
| eval auto_close = if(matches(command_line, "(?i)/s|/au"), 1, 0)
| eval no_ui = if(matches(command_line, "(?i)/ns|/ni"), 1, 0)
| eval has_inf = if(matches(command_line, "(?i)\.inf"), 1, 0)
| eval suspicious_path = if(matches(command_line, "(?i)(Temp|AppData|Downloads|Public|ProgramData|\\\\Users\\\\)"), 1, 0)
| eval remote_load = if(matches(command_line, "(?i)https?://"), 1, 0)
| eval suspicious_parent = if(matches(parent_image, "(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval risk_score = auto_close + no_ui + has_inf + suspicious_path + remote_load + suspicious_parent
| where risk_score > 0
| fields _time, hostname, username, command_line, parent_image, parent_cmdline, auto_close, no_ui, has_inf, suspicious_path, remote_load, suspicious_parent, risk_score
| sort by _time desc

high severity high confidence

Data Sources

Sumo Logic Cloud SIEM Windows Event Logs via Installed Collector Sysmon via Sumo Logic Universal Forwarder

Required Tables

_sourceCategory=*windows* _sourceCategory=*sysmon*

False Positives

Legitimate enterprise VPN profile deployments using CMSTP invoked silently by IT management platforms such as SCCM or Intune from PowerShell parent processes
Security team red team exercises or penetration testers testing AppLocker bypass techniques in authorized lab environments
Corporate remote access onboarding scripts that invoke CMSTP with /s and INF files stored in temporary staging directories before installation completes

Google Chronicle / SecOps

yaral

rule T1218_003_CMSTP_Suspicious_Execution {
  meta:
    author = "Argus Detection Engineering"
    description = "Detects CMSTP.exe execution with indicators of malicious proxy execution: silent/auto-elevation flags, INF files from writable paths, remote URL loading, or suspicious scripting engine and Office application parent processes. Covers MuddyWater, Cobalt Group, CHIMNEYSWEEP, and LockBit 3.0 TTPs."
    mitre_attack_technique = "T1218.003"
    mitre_attack_tactic = "Defense Evasion"
    severity = "HIGH"
    confidence = "HIGH"
    reference = "https://attack.mitre.org/techniques/T1218/003/"

  events:
    $e.metadata.event_type = "PROCESS_LAUNCH"
    (
      re.regex($e.target.process.file.full_path, `(?i)\\cmstp\.exe$`) or
      re.regex($e.target.process.file.full_path, `(?i)/cmstp\.exe$`)
    )
    (
      re.regex($e.target.process.command_line, `(?i)(/s|/au|/ns|/ni)`) or
      re.regex($e.target.process.command_line, `(?i)\.inf`) or
      re.regex($e.target.process.command_line, `(?i)https?://`) or
      re.regex($e.target.process.command_line, `(?i)(temp|appdata|downloads|public|programdata|\\users\\)`) or
      re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe)$`)
    )

  outcome:
    $hostname = $e.principal.hostname
    $username = $e.principal.user.userid
    $cmdline = $e.target.process.command_line
    $parent_process = $e.principal.process.file.full_path
    $has_auto_close = if(re.regex($e.target.process.command_line, `(?i)(/s|/au)`), true, false)
    $has_no_ui = if(re.regex($e.target.process.command_line, `(?i)(/ns|/ni)`), true, false)
    $has_inf = if(re.regex($e.target.process.command_line, `(?i)\.inf`), true, false)
    $has_remote_url = if(re.regex($e.target.process.command_line, `(?i)https?://`), true, false)
    $has_suspicious_path = if(re.regex($e.target.process.command_line, `(?i)(temp|appdata|downloads|public|programdata)`), true, false)
    $has_suspicious_parent = if(re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe)$`), true, false)

  condition:
    $e
}

high severity high confidence

Data Sources

Google Chronicle SIEM Google Chronicle UDM Windows Endpoint Detection via Chronicle Forwarder

Required Tables

UDM Events (PROCESS_LAUNCH)

False Positives

Legitimate corporate VPN client installations initiated by IT deployment tools that spawn CMSTP from PowerShell or cmd.exe with silent flags and INF files staged in temporary directories
Security configuration management tools that install Connection Manager profiles as part of remote access provisioning workflows using CMSTP with /s and /au flags
Red team and penetration testing activities in authorized engagements simulating CMSTP-based AppLocker bypass or UAC bypass techniques on target systems

CrowdStrike LogScale (CQL)

cql

#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)\\cmstp\.exe$/
| AutoClose := if(CommandLine = ~/(?i)\/s|\/au/, "1", "0")
| NoUI := if(CommandLine = ~/(?i)\/ns|\/ni/, "1", "0")
| HasINF := if(CommandLine = ~/(?i)\.inf/, "1", "0")
| SuspiciousPath := if(CommandLine = ~/(?i)(Temp|AppData|Downloads|Public|ProgramData|\\Users\\)/, "1", "0")
| RemoteLoad := if(CommandLine = ~/(?i)https?:\/\//, "1", "0")
| SuspiciousParent := if(ParentBaseFileName = ~/(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe)$/, "1", "0")
| RiskScore := AutoClose + NoUI + HasINF + SuspiciousPath + RemoteLoad + SuspiciousParent
| RiskScore > 0
| select([#timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName, ParentCommandLine, AutoClose, NoUI, HasINF, SuspiciousPath, RemoteLoad, SuspiciousParent, RiskScore])
| sort(field=#timestamp, order=desc)

high severity high confidence

Data Sources

CrowdStrike Falcon Platform CrowdStrike Falcon LogScale (Humio) CrowdStrike EDR ProcessRollup2 Telemetry

Required Tables

ProcessRollup2

False Positives

Legitimate VPN profile deployments by endpoint management solutions (SCCM, Intune, Tanium) invoking CMSTP from PowerShell or cmd.exe parent processes with silent flags and INF files in ProgramData staging directories
Authorized IT scripting tasks that install Connection Manager service profiles enterprise-wide using CMSTP with /s, /ns, or /au flags as part of remote access infrastructure rollouts
Security operations or red team tooling running CMSTP-based AppLocker bypass proof-of-concept tests in sandboxed lab environments with controlled INF payloads

CMSTP

Data Sources

Required Tables

False Positives

Data Sources

Required Sourcetypes

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Data Sources

Required Tables

False Positives

Response Playbook

Investigation Guide

Atomic Red Team Tests

Unlock Pro Content

Related Detections

Parent Technique

Related Sub-techniques

Same Tactic: Defense Evasion

Popular Detections