DET0328 Detection of Malicious Profile Installation via CMSTP.exe

Item	Value
ID	DET0328
Version	1.0
Created	21 October 2025
Last Modified	21 October 2025

Technique Detected: T1218.003 (CMSTP)

Analytics

Windows

AN0932

Execution of CMSTP.exe with arguments pointing to suspicious or remote INF/SCT/DLL payloads, optionally followed by outbound network connections to untrusted IPs, process injection via COM interfaces (CMSTPLUA, CMLUAUTIL), registry modifications registering malicious profiles, or creation of suspicious INF/DLL/SCT files prior to execution.

Log Sources

Data Component	Name	Channel
Command Execution (DC0064)	WinEventLog:PowerShell	EventCode=4103, 4104, 4105, 4106
Network Connection Creation (DC0082)	WinEventLog:Sysmon	EventCode=3, 22
Process Creation (DC0032)	WinEventLog:Sysmon	EventCode=1
Process Access (DC0035)	WinEventLog:Sysmon	EventCode=10
Windows Registry Key Creation (DC0056)	WinEventLog:Sysmon	EventCode=12
Windows Registry Key Modification (DC0063)	WinEventLog:Sysmon	EventCode=13, 14
File Creation (DC0039)	WinEventLog:Sysmon	EventCode=11

Mutable Elements

Field	Description
INFPathRegex	Regex for identifying suspicious INF files; adjust to suppress known safe profiles
ExternalIPAllowlist	Domains or IP ranges allowed for CMSTP network connections
COMInterfaceGUIDs	Set of auto-elevated COM interface GUIDs to flag (e.g., CMSTPLUA, CMLUAUTIL)
RegistryKeyAllowlist	Known good registry entries for CMSTP profile registration
TimeWindow	Correlate CMSTP execution with subsequent network activity or process creation within N seconds