T1218.003 Splunk · SPL

Detect CMSTP in Splunk

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands to load and execute DLLs or COM scriptlets (SCT) from remote servers. This technique bypasses AppLocker since CMSTP.exe is a signed Microsoft binary. CMSTP.exe can also be abused to bypass UAC through an auto-elevated COM interface. Groups including MuddyWater, Cobalt Group, and malware like CHIMNEYSWEEP and LockBit 3.0 have used this technique.

MITRE ATT&CK

Tactic
Defense Evasion
Technique
T1218 System Binary Proxy Execution
Sub-technique
T1218.003 CMSTP
Canonical reference
https://attack.mitre.org/techniques/T1218/003/

SPL Detection Query

Splunk (SPL)
spl 
index=wineventlog sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1
Image="*\\cmstp.exe"
| eval AutoClose=if(match(CommandLine, "(/s|/au)"), 1, 0)
| eval NoUI=if(match(CommandLine, "(/ns|/ni)"), 1, 0)
| eval HasINF=if(match(CommandLine, "\.inf"), 1, 0)
| eval SuspiciousPath=if(match(CommandLine, "(Temp|AppData|Downloads|Public|ProgramData|\\\\Users\\\\)"), 1, 0)
| eval RemoteLoad=if(match(CommandLine, "http[s]?://"), 1, 0)
| eval SuspiciousParent=if(match(ParentImage, "(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval RiskScore=AutoClose + NoUI + SuspiciousPath + RemoteLoad + SuspiciousParent
| where RiskScore > 0
| table _time, host, User, CommandLine, ParentImage, ParentCommandLine, AutoClose, NoUI, HasINF, SuspiciousPath, RemoteLoad, SuspiciousParent, RiskScore
| sort - _time
high severity high confidence

Detects malicious CMSTP.exe execution using Sysmon Event ID 1. Scores across multiple risk indicators: silent/automated flags, suspicious INF paths, remote content loading, and suspicious parent processes. Any CMSTP execution with a risk score above 0 warrants investigation.

Data Sources

Process: Process CreationCommand: Command ExecutionSysmon Event ID 1

Required Sourcetypes

XmlWinEventLog:Microsoft-Windows-Sysmon/Operational

False Positives & Tuning

  • Legitimate VPN client installations using CMSTP.exe to install Connection Manager profiles from Program Files
  • Enterprise network configuration deployment using CMSTP with signed INF files from controlled paths
  • IT administrators manually installing connection profiles via CMSTP for remote access setup
  • Legacy Windows Remote Access Service configurations deployed via CMSTP
Download portable Sigma rule (.yml)

Other platforms for T1218.003

Microsoft Sentinel (KQL) Elastic Security (Elastic) IBM QRadar (QRadar) Sumo Logic CSE (Sumo) Google Chronicle (YARA-L) CrowdStrike LogScale (LogScale) All platforms (combined) →

Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1CMSTP Execution with Malicious INF File

    Expected signal: Sysmon Event ID 1: cmstp.exe with /s /ns flags and Temp path in command line. Sysmon Event ID 1: calc.exe with ParentImage=cmstp.exe (child process spawned by CMSTP). Security Event ID 4688 for both processes.

  2. Test 2CMSTP Silent Execution from Temp Directory

    Expected signal: Sysmon Event ID 1: cmstp.exe with /s flag and Temp path. The INF file creation will appear as Sysmon Event ID 11. Security Event ID 4688 for cmstp.exe process.

  3. Test 3CMSTP Launched from PowerShell

    Expected signal: Sysmon Event ID 1: powershell.exe creating the INF file and launching cmstp.exe. Sysmon Event ID 11: INF file creation. Sysmon Event ID 1: cmstp.exe with ParentImage=powershell.exe, SuspiciousParent indicator fires.

Last updated: 2026-04-13 Research depth: deep
References (7)

Unlock Pro Content

Get the full detection package for T1218.003 including response playbook, investigation guide, and atomic red team tests.

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance
Sign Up for Pro View Pricing

Related Detections

Parent Technique

T1218System Binary Proxy Execution

Related Sub-techniques

T1218.001Compiled HTML FileT1218.002Control PanelT1218.004InstallUtilT1218.005MshtaT1218.007MsiexecT1218.008OdbcconfT1218.009Regsvcs/RegasmT1218.010Regsvr32T1218.011Rundll32T1218.012VerclsidT1218.013MavinjectT1218.014MMCT1218.015Electron Applications

Related Techniques

T1218System Binary Proxy ExecutionT1548.002Bypass User Account ControlT1059.005Visual BasicT1059.007JavaScriptT1218.010Regsvr32T1218.001Compiled HTML FileT1566.001Spearphishing AttachmentT1105Ingress Tool Transfer

Same Tactic: Defense Evasion

Popular Detections