System Binary Proxy Execution: CMSTP (T1218.003)
Tactic: Stealth · Platforms: Windows
The interactive view maps 1 detection strategy, 2 mitigations, 2 threat groups, 2 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.
Sub-technique of System Binary Proxy Execution (T1218).
Overview
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.
CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.