title: CMSTP
description: CMSTP is rarely used within my environment, so the below detection has
  low false positives without filtering, though you may want to limit query to inf
  files located in personal/writeable directories.
author: keyboardcrunch
date: 10/10/2020
modified: null
mitre:
   tactic: Defense Evasion
   technique: T1218
   subtechnique: 003
operating_system: windows
query: SrcProcName = "cmstp.exe" AND SrcProcCmdLine RegExp "^.*\.(inf)"
false_positives: null
tags: null