T1218.003 CMSTP
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. 1 CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. 2 Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs 3 and/or COM scriptlets (SCT) from remote servers. 4 5 6 This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.
CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. 3 5 6
| Item | Value |
|---|---|
| ID | T1218.003 |
| Sub-techniques | T1218.001, T1218.002, T1218.003, T1218.004, T1218.005, T1218.007, T1218.008, T1218.009, T1218.010, T1218.011, T1218.012, T1218.013, T1218.014 |
| Tactics | TA0005 |
| Platforms | Windows |
| Permissions required | User |
| Version | 2.0 |
| Created | 23 January 2020 |
| Last Modified | 11 March 2022 |
Procedure Examples
| ID | Name | Description |
|---|---|---|
| G0080 | Cobalt Group | Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.8910 |
| G0069 | MuddyWater | MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.7 |
Mitigations
| ID | Mitigation | Description |
|---|---|---|
| M1042 | Disable or Remove Feature or Program | CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). |
| M1038 | Execution Prevention | Consider using application control configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries. |
Detection
| ID | Data Source | Data Component |
|---|---|---|
| DS0017 | Command | Command Execution |
| DS0029 | Network Traffic | Network Connection Creation |
| DS0009 | Process | Process Creation |
References
-
Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018. ↩
-
Carr, N. (2018, January 31). Here is some early bad cmstp.exe… Retrieved April 11, 2018. ↩
-
Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018. ↩↩
-
Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018. ↩
-
Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018. ↩↩
-
Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved August 6, 2018. ↩↩
-
Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. ↩
-
Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. ↩
-
Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. ↩
-
Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. ↩