T1218.003 IBM QRadar · QRadar

Detect CMSTP in IBM QRadar

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands to load and execute DLLs or COM scriptlets (SCT) from remote servers. This technique bypasses AppLocker since CMSTP.exe is a signed Microsoft binary. CMSTP.exe can also be abused to bypass UAC through an auto-elevated COM interface. Groups including MuddyWater, Cobalt Group, and malware like CHIMNEYSWEEP and LockBit 3.0 have used this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.003 CMSTP
Canonical reference
https://attack.mitre.org/techniques/T1218/003/

QRadar Detection Query

IBM QRadar (QRadar)
sql 
SELECT
  DATEFORMAT(starttime, 'yyyy-MM-dd HH:mm:ss') AS "Event Time",
  sourceip AS "Source IP",
  username AS "Username",
  "Process Name" AS "Process",
  "Command" AS "Command Line",
  "Parent Process" AS "Parent Process",
  CASE WHEN "Command" ILIKE '%/s%' OR "Command" ILIKE '%/au%' THEN 1 ELSE 0 END AS "AutoClose",
  CASE WHEN "Command" ILIKE '%/ns%' OR "Command" ILIKE '%/ni%' THEN 1 ELSE 0 END AS "NoUI",
  CASE WHEN "Command" ILIKE '%.inf%' THEN 1 ELSE 0 END AS "HasINF",
  CASE WHEN "Command" ILIKE '%temp%' OR "Command" ILIKE '%appdata%' OR "Command" ILIKE '%downloads%' OR "Command" ILIKE '%public%' OR "Command" ILIKE '%programdata%' THEN 1 ELSE 0 END AS "SuspiciousPath",
  CASE WHEN "Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' THEN 1 ELSE 0 END AS "RemoteLoad",
  CASE WHEN "Parent Process" ILIKE '%cmd.exe%' OR "Parent Process" ILIKE '%powershell.exe%' OR "Parent Process" ILIKE '%wscript.exe%' OR "Parent Process" ILIKE '%cscript.exe%' OR "Parent Process" ILIKE '%mshta.exe%' OR "Parent Process" ILIKE '%winword.exe%' OR "Parent Process" ILIKE '%excel.exe%' OR "Parent Process" ILIKE '%outlook.exe%' THEN 1 ELSE 0 END AS "SuspiciousParent",
  (
    CASE WHEN "Command" ILIKE '%/s%' OR "Command" ILIKE '%/au%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%/ns%' OR "Command" ILIKE '%/ni%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%temp%' OR "Command" ILIKE '%appdata%' OR "Command" ILIKE '%downloads%' OR "Command" ILIKE '%public%' OR "Command" ILIKE '%programdata%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' THEN 1 ELSE 0 END +
    CASE WHEN "Parent Process" ILIKE '%cmd.exe%' OR "Parent Process" ILIKE '%powershell.exe%' OR "Parent Process" ILIKE '%wscript.exe%' OR "Parent Process" ILIKE '%cscript.exe%' OR "Parent Process" ILIKE '%mshta.exe%' OR "Parent Process" ILIKE '%winword.exe%' OR "Parent Process" ILIKE '%excel.exe%' OR "Parent Process" ILIKE '%outlook.exe%' THEN 1 ELSE 0 END
  ) AS "RiskScore"
FROM events
WHERE
  LOGSOURCETYPEID IN (12, 387)
  AND ("Process Name" ILIKE '%cmstp.exe%' OR "Command" ILIKE '%cmstp.exe%')
  AND starttime > NOW() - 86400000
  AND (
    CASE WHEN "Command" ILIKE '%/s%' OR "Command" ILIKE '%/au%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%/ns%' OR "Command" ILIKE '%/ni%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%temp%' OR "Command" ILIKE '%appdata%' OR "Command" ILIKE '%downloads%' THEN 1 ELSE 0 END +
    CASE WHEN "Command" ILIKE '%http://%' OR "Command" ILIKE '%https://%' THEN 1 ELSE 0 END +
    CASE WHEN "Parent Process" ILIKE '%cmd.exe%' OR "Parent Process" ILIKE '%powershell.exe%' OR "Parent Process" ILIKE '%wscript.exe%' THEN 1 ELSE 0 END
  ) > 0
ORDER BY starttime DESC
high severity medium confidence

Detects CMSTP.exe process execution events with a composite risk score based on: silent/auto-elevation flags (/s, /au, /ns, /ni), INF files loaded from writable user paths (Temp, AppData, Downloads, Public, ProgramData), remote HTTP/HTTPS URL loading indicative of SCT/DLL staging, and suspicious parent processes including scripting engines and Office applications. LOGSOURCETYPEID 12 targets Microsoft Windows Security Event Log and 387 targets Sysmon. Risk score > 0 required to suppress benign baseline CMSTP invocations.

Data Sources

IBM QRadar SIEMWindows Security Event LogMicrosoft Sysmon via QRadar DSM

Required Tables

events

False Positives & Tuning

  • Legitimate VPN software deployment tools invoking CMSTP with /s and /au flags to silently install Connection Manager profiles across a fleet during onboarding
  • Enterprise MDM or SCCM deployment tasks running CMSTP from cmd.exe or PowerShell parent contexts with trusted INF files in ProgramData
  • Corporate IT automation scripts installing remote access profiles with HTTP-hosted INF files from internal software distribution servers
Download portable Sigma rule (.yml)

Other platforms for T1218.003

Microsoft Sentinel (KQL) Splunk (SPL) Elastic Security (Elastic) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CMSTP Execution with Malicious INF File

    Expected signal: Sysmon Event ID 1: cmstp.exe with /s /ns flags and Temp path in command line. Sysmon Event ID 1: calc.exe with ParentImage=cmstp.exe (child process spawned by CMSTP). Security Event ID 4688 for both processes.

  2. Test 2CMSTP Silent Execution from Temp Directory

    Expected signal: Sysmon Event ID 1: cmstp.exe with /s flag and Temp path. The INF file creation will appear as Sysmon Event ID 11. Security Event ID 4688 for cmstp.exe process.

  3. Test 3CMSTP Launched from PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe creating the INF file and launching cmstp.exe. Sysmon Event ID 11: INF file creation. Sysmon Event ID 1: cmstp.exe with ParentImage=powershell.exe, SuspiciousParent indicator fires.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1548.002Bypass User Account ControlT1059.005Visual BasicT1059.007JavaScriptT1218.010Regsvr32T1218.001Compiled HTML FileT1566.001Spearphishing AttachmentT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections