Execution via cmstp.exe¶
Identifies potentially stealthy execution via the Microsoft Connection Manager Profile Installer.
| id: | 56c64a8c-a787-488a-a7f2-b992d332679d |
|---|---|
| categories: | enrich |
| confidence: | low |
| os: | windows |
| created: | 7/26/2019 |
| updated: | 7/26/2019 |
MITRE ATT&CK™ Mapping¶
| tactics: | Defense Evasion, Execution |
|---|---|
| techniques: | T1191 CMSTP |
Query¶
process where subtype.create and
process_name == "cmstp.exe" and
command_line == "* /s *"