Detect CMSTP in Google Chronicle
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands to load and execute DLLs or COM scriptlets (SCT) from remote servers. This technique bypasses AppLocker since CMSTP.exe is a signed Microsoft binary. CMSTP.exe can also be abused to bypass UAC through an auto-elevated COM interface. Groups including MuddyWater, Cobalt Group, and malware like CHIMNEYSWEEP and LockBit 3.0 have used this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.003 CMSTP
- Canonical reference
- https://attack.mitre.org/techniques/T1218/003/
YARA-L Detection Query
rule T1218_003_CMSTP_Suspicious_Execution {
meta:
author = "Argus Detection Engineering"
description = "Detects CMSTP.exe execution with indicators of malicious proxy execution: silent/auto-elevation flags, INF files from writable paths, remote URL loading, or suspicious scripting engine and Office application parent processes. Covers MuddyWater, Cobalt Group, CHIMNEYSWEEP, and LockBit 3.0 TTPs."
mitre_attack_technique = "T1218.003"
mitre_attack_tactic = "Defense Evasion"
severity = "HIGH"
confidence = "HIGH"
reference = "https://attack.mitre.org/techniques/T1218/003/"
events:
$e.metadata.event_type = "PROCESS_LAUNCH"
(
re.regex($e.target.process.file.full_path, `(?i)\\cmstp\.exe$`) or
re.regex($e.target.process.file.full_path, `(?i)/cmstp\.exe$`)
)
(
re.regex($e.target.process.command_line, `(?i)(/s|/au|/ns|/ni)`) or
re.regex($e.target.process.command_line, `(?i)\.inf`) or
re.regex($e.target.process.command_line, `(?i)https?://`) or
re.regex($e.target.process.command_line, `(?i)(temp|appdata|downloads|public|programdata|\\users\\)`) or
re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe)$`)
)
outcome:
$hostname = $e.principal.hostname
$username = $e.principal.user.userid
$cmdline = $e.target.process.command_line
$parent_process = $e.principal.process.file.full_path
$has_auto_close = if(re.regex($e.target.process.command_line, `(?i)(/s|/au)`), true, false)
$has_no_ui = if(re.regex($e.target.process.command_line, `(?i)(/ns|/ni)`), true, false)
$has_inf = if(re.regex($e.target.process.command_line, `(?i)\.inf`), true, false)
$has_remote_url = if(re.regex($e.target.process.command_line, `(?i)https?://`), true, false)
$has_suspicious_path = if(re.regex($e.target.process.command_line, `(?i)(temp|appdata|downloads|public|programdata)`), true, false)
$has_suspicious_parent = if(re.regex($e.principal.process.file.full_path, `(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe)$`), true, false)
condition:
$e
}Chronicle YARA-L 2.0 rule detecting CMSTP.exe process launch events with one or more suspicious indicators: silent install flags (/s, /au), no-UI flags (/ns, /ni), INF file references in user-writable directories (Temp, AppData, Downloads, Public, ProgramData), remote HTTP/HTTPS URL loading indicative of COM scriptlet or DLL staging, or suspicious parent process lineage from scripting engines or Office applications. Outcome variables provide analyst context including per-indicator boolean flags for triage. Covers known adversary use by MuddyWater, Cobalt Group, CHIMNEYSWEEP, and LockBit 3.0.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate corporate VPN client installations initiated by IT deployment tools that spawn CMSTP from PowerShell or cmd.exe with silent flags and INF files staged in temporary directories
- Security configuration management tools that install Connection Manager profiles as part of remote access provisioning workflows using CMSTP with /s and /au flags
- Red team and penetration testing activities in authorized engagements simulating CMSTP-based AppLocker bypass or UAC bypass techniques on target systems
Other platforms for T1218.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CMSTP Execution with Malicious INF File
Expected signal: Sysmon Event ID 1: cmstp.exe with /s /ns flags and Temp path in command line. Sysmon Event ID 1: calc.exe with ParentImage=cmstp.exe (child process spawned by CMSTP). Security Event ID 4688 for both processes.
- Test 2CMSTP Silent Execution from Temp Directory
Expected signal: Sysmon Event ID 1: cmstp.exe with /s flag and Temp path. The INF file creation will appear as Sysmon Event ID 11. Security Event ID 4688 for cmstp.exe process.
- Test 3CMSTP Launched from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe creating the INF file and launching cmstp.exe. Sysmon Event ID 11: INF file creation. Sysmon Event ID 1: cmstp.exe with ParentImage=powershell.exe, SuspiciousParent indicator fires.
References (7)
- https://attack.mitre.org/techniques/T1218/003/
- https://msitpros.com/?p=3960
- https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-iranian-influence-operation.html
- https://www.mandiant.com/resources/blog/roadsweep-august-2022
Unlock Pro Content
Get the full detection package for T1218.003 including response playbook, investigation guide, and atomic red team tests.