Description
Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.
CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
Platforms
Mitigations (2)
Execution PreventionM1038
Consider using application control configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries.
Disable or Remove Feature or ProgramM1042
CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).
Threat Groups (2)
| ID | Group | Context |
|---|---|---|
| G0069 | MuddyWater | [MuddyWater](https://attack.mitre.org/groups/G0069) has used CMSTP.exe and a malicious INF to execute its [POWERSTATS](https://attack.mitre.org/softwa... |
| G0080 | Cobalt Group | [Cobalt Group](https://attack.mitre.org/groups/G0080) has used the command <code>cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt</c... |
Associated Software (2)
| ID | Name | Type | Context |
|---|---|---|---|
| S1149 | CHIMNEYSWEEP | Malware | [CHIMNEYSWEEP](https://attack.mitre.org/software/S1149) can use CMSTP.exe to install a malicious Microsoft Connection Manager Profile.(Citation: Mandi... |
| S1202 | LockBit 3.0 | Malware | [LockBit 3.0](https://attack.mitre.org/software/S1202) can attempt a CMSTP UAC bypass if it does not have administrative privileges.(Citation: Sentine... |
References
- Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved September 12, 2024.
- Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018.
- Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018.
- Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.
- Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved November 17, 2024.
- Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved September 12, 2024.
Frequently Asked Questions
What is T1218.003 (CMSTP)?
T1218.003 is a MITRE ATT&CK technique named 'CMSTP'. It belongs to the Stealth tactic(s). Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service pr...
How can T1218.003 be detected?
Detection of T1218.003 (CMSTP) typically involves monitoring system logs, network traffic, and endpoint telemetry. Use SIEM rules, EDR solutions, and behavioral analytics to identify suspicious activity associated with this technique.
What mitigations exist for T1218.003?
There are 2 documented mitigations for T1218.003. Key mitigations include: Execution Prevention, Disable or Remove Feature or Program.
Which threat groups use T1218.003?
Known threat groups using T1218.003 include: MuddyWater, Cobalt Group.