Detect CMSTP in CrowdStrike LogScale
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands to load and execute DLLs or COM scriptlets (SCT) from remote servers. This technique bypasses AppLocker since CMSTP.exe is a signed Microsoft binary. CMSTP.exe can also be abused to bypass UAC through an auto-elevated COM interface. Groups including MuddyWater, Cobalt Group, and malware like CHIMNEYSWEEP and LockBit 3.0 have used this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.003 CMSTP
- Canonical reference
- https://attack.mitre.org/techniques/T1218/003/
LogScale Detection Query
#event_simpleName=ProcessRollup2
| ImageFileName = /(?i)\\cmstp\.exe$/
| AutoClose := if(CommandLine = ~/(?i)\/s|\/au/, "1", "0")
| NoUI := if(CommandLine = ~/(?i)\/ns|\/ni/, "1", "0")
| HasINF := if(CommandLine = ~/(?i)\.inf/, "1", "0")
| SuspiciousPath := if(CommandLine = ~/(?i)(Temp|AppData|Downloads|Public|ProgramData|\\Users\\)/, "1", "0")
| RemoteLoad := if(CommandLine = ~/(?i)https?:\/\//, "1", "0")
| SuspiciousParent := if(ParentBaseFileName = ~/(?i)(cmd\.exe|powershell\.exe|wscript\.exe|cscript\.exe|mshta\.exe|winword\.exe|excel\.exe|outlook\.exe)$/, "1", "0")
| RiskScore := AutoClose + NoUI + HasINF + SuspiciousPath + RemoteLoad + SuspiciousParent
| RiskScore > 0
| select([#timestamp, ComputerName, UserName, CommandLine, ParentBaseFileName, ParentCommandLine, AutoClose, NoUI, HasINF, SuspiciousPath, RemoteLoad, SuspiciousParent, RiskScore])
| sort(field=#timestamp, order=desc)Detects CrowdStrike Falcon ProcessRollup2 events where cmstp.exe is executed with suspicious indicators scored via a composite risk model: silent/auto-elevation flags (/s, /au), no-UI flags (/ns, /ni), INF file references in user-writable paths (Temp, AppData, Downloads, Public, ProgramData), remote HTTP/HTTPS URL loading for COM scriptlet or DLL staging, and suspicious parent process lineage from scripting engines or Office applications. RiskScore > 0 filters benign baseline CMSTP invocations. Uses CrowdStrike Falcon's ProcessRollup2 telemetry with ParentBaseFileName for parent process identification without relying on full path regex.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate VPN profile deployments by endpoint management solutions (SCCM, Intune, Tanium) invoking CMSTP from PowerShell or cmd.exe parent processes with silent flags and INF files in ProgramData staging directories
- Authorized IT scripting tasks that install Connection Manager service profiles enterprise-wide using CMSTP with /s, /ns, or /au flags as part of remote access infrastructure rollouts
- Security operations or red team tooling running CMSTP-based AppLocker bypass proof-of-concept tests in sandboxed lab environments with controlled INF payloads
Other platforms for T1218.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CMSTP Execution with Malicious INF File
Expected signal: Sysmon Event ID 1: cmstp.exe with /s /ns flags and Temp path in command line. Sysmon Event ID 1: calc.exe with ParentImage=cmstp.exe (child process spawned by CMSTP). Security Event ID 4688 for both processes.
- Test 2CMSTP Silent Execution from Temp Directory
Expected signal: Sysmon Event ID 1: cmstp.exe with /s flag and Temp path. The INF file creation will appear as Sysmon Event ID 11. Security Event ID 4688 for cmstp.exe process.
- Test 3CMSTP Launched from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe creating the INF file and launching cmstp.exe. Sysmon Event ID 11: INF file creation. Sysmon Event ID 1: cmstp.exe with ParentImage=powershell.exe, SuspiciousParent indicator fires.
References (7)
- https://attack.mitre.org/techniques/T1218/003/
- https://msitpros.com/?p=3960
- https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-iranian-influence-operation.html
- https://www.mandiant.com/resources/blog/roadsweep-august-2022
Unlock Pro Content
Get the full detection package for T1218.003 including response playbook, investigation guide, and atomic red team tests.