title: CMSTP (T1218.003)
id: df00tech-t1218-003
status: experimental
description: "Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands to load and execute DLLs or COM scriptlets (SCT) from remote servers. This technique bypasses AppLocker since CMSTP.exe is a signed Microsoft binary. CMSTP.exe can also be abused to bypass UAC through an auto-elevated COM interface. Groups including MuddyWater, Cobalt Group, and malware like CHIMNEYSWEEP and LockBit 3.0 have used this technique."
references:
  - https://attack.mitre.org/techniques/T1218/003/
  - https://df00tech.com/detections/T1218.003
author: df00tech
date: 2026/04/13
tags:
  - attack.t1218.003
# NOTE: logsource is auto-derived and may need adjustment for your environment
logsource:
  category: process_creation
  product: windows
detection:
  # This detection logic could not be auto-translated; see the KQL/SPL query on df00tech.
  selection:
    EventID: '*'
  condition: selection
falsepositives:
  - Legitimate VPN client installations using CMSTP.exe to install Connection Manager profiles from Program Files
  - Enterprise network configuration deployment using CMSTP with signed INF files from controlled paths
  - IT administrators manually installing connection profiles via CMSTP for remote access setup
  - Legacy Windows Remote Access Service configurations deployed via CMSTP
level: high