From fcc767baac972a09e43ca472ebc9b2a7cd8c4c2d Mon Sep 17 00:00:00 2001
From: "@" <@>
Date: Sun, 20 Sep 2020 20:33:40 -0500
Subject: [PATCH] T1218.003 CMSTP

---
 DefenseEvasion.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/DefenseEvasion.md b/DefenseEvasion.md
index f7b3749..ba3dcd4 100644
--- a/DefenseEvasion.md
+++ b/DefenseEvasion.md
@@ -29,6 +29,12 @@ SrcProcCmdLine ContainsCIS "ms-settings\shell\open\command" OR SrcProcCmdLine Co
 ### T1218.003 CMSTP
 Atomics: [T1218.003](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md)
 
+CMSTP is rarely used within my environment, so the below detection has low false positives without filtering, though you may want to limit query to inf files located in personal/writeable directories.
+
+```
+SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
+```
+
 ### T1574.012 COR_PROFILER
 Atomics: [T1574.012](https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1574.012/T1574.012.md)