Detect CMSTP in Sumo Logic CSE
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands to load and execute DLLs or COM scriptlets (SCT) from remote servers. This technique bypasses AppLocker since CMSTP.exe is a signed Microsoft binary. CMSTP.exe can also be abused to bypass UAC through an auto-elevated COM interface. Groups including MuddyWater, Cobalt Group, and malware like CHIMNEYSWEEP and LockBit 3.0 have used this technique.
MITRE ATT&CK
- Tactic
- Defense Evasion
- Technique
- T1218 System Binary Proxy Execution
- Sub-technique
- T1218.003 CMSTP
- Canonical reference
- https://attack.mitre.org/techniques/T1218/003/
Sumo Detection Query
(_sourceCategory=*windows* OR _sourceCategory=*sysmon* OR _sourceCategory=*winlogbeat*)
| where _raw matches /(?i)cmstp\.exe/
| parse regex field=_raw "(?i)Image[:\s]+(?:[^\r\n]*\\\\)?(?P<process_image>[^\r\n\\]+)" nodrop
| parse regex field=_raw "(?i)CommandLine[:\s]+(?P<command_line>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)ParentImage[:\s]+(?:[^\r\n]*\\\\)?(?P<parent_image>[^\r\n\\]+)" nodrop
| parse regex field=_raw "(?i)ParentCommandLine[:\s]+(?P<parent_cmdline>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)User[:\s]+(?P<username>[^\r\n]+)" nodrop
| parse regex field=_raw "(?i)(?:Hostname|Computer|ComputerName)[:\s]+(?P<hostname>[^\r\n]+)" nodrop
| where process_image matches /(?i)cmstp\.exe/
| eval auto_close = if(matches(command_line, "(?i)/s|/au"), 1, 0)
| eval no_ui = if(matches(command_line, "(?i)/ns|/ni"), 1, 0)
| eval has_inf = if(matches(command_line, "(?i)\.inf"), 1, 0)
| eval suspicious_path = if(matches(command_line, "(?i)(Temp|AppData|Downloads|Public|ProgramData|\\\\Users\\\\)"), 1, 0)
| eval remote_load = if(matches(command_line, "(?i)https?://"), 1, 0)
| eval suspicious_parent = if(matches(parent_image, "(?i)(cmd|powershell|wscript|cscript|mshta|winword|excel|outlook)\.exe"), 1, 0)
| eval risk_score = auto_close + no_ui + has_inf + suspicious_path + remote_load + suspicious_parent
| where risk_score > 0
| fields _time, hostname, username, command_line, parent_image, parent_cmdline, auto_close, no_ui, has_inf, suspicious_path, remote_load, suspicious_parent, risk_score
| sort by _time descDetects CMSTP.exe process creation events with a composite risk score evaluating silent install flags (/s, /au), no-UI flags (/ns, /ni), INF file references in suspicious writable paths (Temp, AppData, Downloads, Public, ProgramData), remote URL loading via HTTP/HTTPS, and suspicious parent process lineage including scripting engines (cmd, PowerShell, wscript, cscript, mshta) and Office applications. Uses regex-based field extraction from raw Sysmon or Windows Security log events. Records with risk_score > 0 are surfaced, prioritizing those with remote_load or suspicious_parent indicators.
Data Sources
Required Tables
False Positives & Tuning
- Legitimate enterprise VPN profile deployments using CMSTP invoked silently by IT management platforms such as SCCM or Intune from PowerShell parent processes
- Security team red team exercises or penetration testers testing AppLocker bypass techniques in authorized lab environments
- Corporate remote access onboarding scripts that invoke CMSTP with /s and INF files stored in temporary staging directories before installation completes
Other platforms for T1218.003
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1CMSTP Execution with Malicious INF File
Expected signal: Sysmon Event ID 1: cmstp.exe with /s /ns flags and Temp path in command line. Sysmon Event ID 1: calc.exe with ParentImage=cmstp.exe (child process spawned by CMSTP). Security Event ID 4688 for both processes.
- Test 2CMSTP Silent Execution from Temp Directory
Expected signal: Sysmon Event ID 1: cmstp.exe with /s flag and Temp path. The INF file creation will appear as Sysmon Event ID 11. Security Event ID 4688 for cmstp.exe process.
- Test 3CMSTP Launched from PowerShell
Expected signal: Sysmon Event ID 1: powershell.exe creating the INF file and launching cmstp.exe. Sysmon Event ID 11: INF file creation. Sysmon Event ID 1: cmstp.exe with ParentImage=powershell.exe, SuspiciousParent indicator fires.
References (7)
- https://attack.mitre.org/techniques/T1218/003/
- https://msitpros.com/?p=3960
- https://web.archive.org/web/20190316220149/http://www.endurant.io/cmstp/detecting-cmstp-enabled-code-execution-and-uac-bypass-with-sysmon/
- https://github.com/api0cradle/UltimateAppLockerByPassList
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1218.003/T1218.003.md
- https://www.fireeye.com/blog/threat-research/2018/03/suspected-iranian-influence-operation.html
- https://www.mandiant.com/resources/blog/roadsweep-august-2022
Unlock Pro Content
Get the full detection package for T1218.003 including response playbook, investigation guide, and atomic red team tests.