T1218.003 Microsoft Sentinel · KQL

Detect CMSTP in Microsoft Sentinel

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands to load and execute DLLs or COM scriptlets (SCT) from remote servers. This technique bypasses AppLocker since CMSTP.exe is a signed Microsoft binary. CMSTP.exe can also be abused to bypass UAC through an auto-elevated COM interface. Groups including MuddyWater, Cobalt Group, and malware like CHIMNEYSWEEP and LockBit 3.0 have used this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.003 CMSTP
Canonical reference
https://attack.mitre.org/techniques/T1218/003/

KQL Detection Query

Microsoft Sentinel (KQL)
kusto 
DeviceProcessEvents
| where Timestamp > ago(24h)
| where FileName =~ "cmstp.exe"
| extend AutoClose = ProcessCommandLine has_any ("/s", "/au")
| extend NoUserInteraction = ProcessCommandLine has_any ("/ns", "/ni")
| extend HasINF = ProcessCommandLine has ".inf"
| extend SuspiciousINFPath = ProcessCommandLine has_any ("Temp", "AppData", "Downloads", "Public", "ProgramData", "\\Users\\")
| extend RemoteLoad = ProcessCommandLine has_any ("http://", "https://")
| extend SuspiciousParent = InitiatingProcessFileName has_any ("cmd.exe", "powershell.exe", "wscript.exe", "cscript.exe", "mshta.exe", "winword.exe", "excel.exe", "outlook.exe")
| project Timestamp, DeviceName, AccountName, ProcessCommandLine, InitiatingProcessFileName,
         InitiatingProcessCommandLine, AutoClose, NoUserInteraction, HasINF,
         SuspiciousINFPath, RemoteLoad, SuspiciousParent
| sort by Timestamp desc
high severity high confidence

Detects CMSTP.exe abuse by identifying non-interactive execution flags (/s, /ns, /ni, /au) used in adversarial contexts, INF files loaded from user-writable paths, remote INF/SCT loading via HTTP, and suspicious parent processes. Legitimate CMSTP usage by VPN clients uses fixed paths and is typically user-initiated.

Data Sources

Process: Process CreationCommand: Command ExecutionMicrosoft Defender for Endpoint

Required Tables

DeviceProcessEvents

False Positives & Tuning

  • Legitimate VPN client installations using CMSTP.exe to install Connection Manager profiles from Program Files
  • Enterprise network configuration deployment using CMSTP with signed INF files from controlled paths
  • IT administrators manually installing connection profiles via CMSTP for remote access setup
  • Legacy Windows Remote Access Service configurations deployed via CMSTP
Download portable Sigma rule (.yml)

Other platforms for T1218.003

Splunk (SPL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CMSTP Execution with Malicious INF File

    Expected signal: Sysmon Event ID 1: cmstp.exe with /s /ns flags and Temp path in command line. Sysmon Event ID 1: calc.exe with ParentImage=cmstp.exe (child process spawned by CMSTP). Security Event ID 4688 for both processes.

  2. Test 2CMSTP Silent Execution from Temp Directory

    Expected signal: Sysmon Event ID 1: cmstp.exe with /s flag and Temp path. The INF file creation will appear as Sysmon Event ID 11. Security Event ID 4688 for cmstp.exe process.

  3. Test 3CMSTP Launched from PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe creating the INF file and launching cmstp.exe. Sysmon Event ID 11: INF file creation. Sysmon Event ID 1: cmstp.exe with ParentImage=powershell.exe, SuspiciousParent indicator fires.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1548.002Bypass User Account ControlT1059.005Visual BasicT1059.007JavaScriptT1218.010Regsvr32T1218.001Compiled HTML FileT1566.001Spearphishing AttachmentT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections