System Binary Proxy Execution: CMSTP (T1218.003)

Tactic: Stealth · Platforms: Windows

The interactive view maps 1 detection strategy, 2 mitigations, 2 threat groups, 2 software entries to this technique, alongside D3FEND countermeasures and data-component coverage.

Sub-technique of System Binary Proxy Execution (T1218).

Overview

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.

CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.

Explore