Detect CMSTP in Elastic Security
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands to load and execute DLLs or COM scriptlets (SCT) from remote servers. This technique bypasses AppLocker since CMSTP.exe is a signed Microsoft binary. CMSTP.exe can also be abused to bypass UAC through an auto-elevated COM interface. Groups including MuddyWater, Cobalt Group, and malware like CHIMNEYSWEEP and LockBit 3.0 have used this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.003 CMSTP
- Canonical reference
- https://attack.mitre.org/techniques/T1218/003/
Elastic Detection Query
process where event.type == "start"
and process.name : "cmstp.exe"
and (
process.args : ("/s", "/au", "/ns", "/ni")
or process.command_line : "*.inf*"
or process.command_line : ("*http://*", "*https://*")
or process.command_line : ("*Temp*", "*AppData*", "*Downloads*", "*Public*", "*ProgramData*", "*\\Users\\*")
or process.parent.name : ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
)Detects CMSTP.exe execution with suspicious indicators: silent install flags (/s, /au), no-UI flags (/ns, /ni), INF files loaded from user-writable paths (Temp, AppData, Downloads), remote URL loading via HTTP/HTTPS, or execution spawned by scripting engines and Office applications. These patterns indicate potential proxy execution of malicious DLLs, COM scriptlets, or UAC bypass attempts via CMSTP's auto-elevated COM interface.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate VPN client installations using CMSTP to deploy Connection Manager profiles from corporate software deployment systems
- IT administrators manually installing remote access profiles using CMSTP with silent flags (/s) from managed software repositories
- Automated enterprise onboarding scripts invoking CMSTP from scripted parent processes such as cmd.exe or PowerShell with legitimate INF files from known paths
Other platforms for T1218.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CMSTP Execution with Malicious INF File
Expected signal: Sysmon Event ID 1: cmstp.exe with /s /ns flags and Temp path in command line. Sysmon Event ID 1: calc.exe with ParentImage=cmstp.exe (child process spawned by CMSTP). Security Event ID 4688 for both processes.
- Test 2CMSTP Silent Execution from Temp Directory
Expected signal: Sysmon Event ID 1: cmstp.exe with /s flag and Temp path. The INF file creation will appear as Sysmon Event ID 11. Security Event ID 4688 for cmstp.exe process.
- Test 3CMSTP Launched from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe creating the INF file and launching cmstp.exe. Sysmon Event ID 11: INF file creation. Sysmon Event ID 1: cmstp.exe with ParentImage=powershell.exe, SuspiciousParent indicator fires.
References (7)
- https://attack.mitre.org/techniques/T1218/003/
- https://msitpros.com/?p=3960
- https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-iranian-influence-operation.html
- https://www.mandiant.com/resources/blog/roadsweep-august-2022
Unlock Pro Content
Get the full detection package for T1218.003 including response playbook, investigation guide, and atomic red team tests.