Execution of CMSTP.exe with arguments pointing to suspicious or remote INF/SCT/DLL payloads, optionally followed by outbound network connections to untrusted IPs, process injection via COM interfaces (CMSTPLUA, CMLUAUTIL), registry modifications registering malicious profiles, or creation of suspicious INF/DLL/SCT files prior to execution.
| Data Component | Name | Channel |
|---|---|---|
| Command Execution (DC0064) | WinEventLog:PowerShell | EventCode=4104 |
| Network Connection Creation (DC0082) | WinEventLog:Sysmon | EventCode=3 |
| Process Creation (DC0032) | WinEventLog:Sysmon | EventCode=1 |
| Process Access (DC0035) | WinEventLog:Sysmon | EventCode=10 |
| Windows Registry Key Creation (DC0056) | WinEventLog:Sysmon | EventCode=12 |
| Windows Registry Key Modification (DC0063) | WinEventLog:Sysmon | EventCode=13 |
| File Creation (DC0039) | WinEventLog:Sysmon | EventCode=11 |
| Field | Description |
|---|---|
| INFPathRegex | Regex for identifying suspicious INF files; adjust to suppress known safe profiles |
| ExternalIPAllowlist | Domains or IP ranges allowed for CMSTP network connections |
| COMInterfaceGUIDs | Set of auto-elevated COM interface GUIDs to flag (e.g., CMSTPLUA, CMLUAUTIL) |
| RegistryKeyAllowlist | Known good registry entries for CMSTP profile registration |
| TimeWindow | Correlate CMSTP execution with subsequent network activity or process creation within N seconds |