Technique on mitre.org

T1218.003: CMSTP

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs and/or COM scriptlets (SCT) from remote servers. This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.

CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface.

Positive Technologies products that cover the technique

MaxPatrol SIEM knowledge base

mitre_attck_defense_evasion: PT-CR-201: Cmstp_AWL_Bypass: An attempt to bypass User Account Control (UAC) or application-start restrictions by using cmstp.exe (a built-in Microsoft Windows utility that installs or removes Connection Manager service profiles)

Detection

IDDS0029Data source and componentNetwork Traffic: Network Connection CreationDescription

Monitor for newly constructed network connections that are sent or received by untrusted hosts, such as Sysmon Event 3 (Network connection) where Image contains CMSTP.exe and DestinationIP is external.

Note: Event IDs are for Sysmon (Event ID 1 - process create) and Windows Security Log (Event ID 4688 - a new process has been created). The Analytic looks for the creation of a new CMSTP.exe process which initiates a network connection to a non-local IP address. This is a specific implementation where CMSTP.exe can be leveraged to setup listeners that will receive and install malware from remote sources in a trusted fashion.

Analytic 1 - CMSTP

(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="3") Image="C:\Windows\System32\CMSTP.exe" | WHERE ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))

IDDS0017Data source and componentCommand: Command ExecutionDescription

Monitor executed commands and arguments that may gather information about the victim's hosts that can be used during targeting.

Note: Event ID 4104 (from the Microsoft-Windows-Powershell/Operational log) captures Powershell script blocks, which can be analyzed and used to detect on abuse of CMSTP.

IDDS0009Data source and componentProcess: Process CreationDescription

Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity. Sysmon events can also be used to identify potential abuses of CMSTP.exe. Detection strategy may depend on the specific adversary procedure, but potential rules include:

  • To detect loading and execution of local/remote payloads - Event 1 (Process creation) where ParentImage contains CMSTP.exe
  • Also monitor for events, such as the creation of processes (Sysmon Event 1), that involve auto-elevated CMSTP COM interfaces such as CMSTPLUA (3E5FC7F9-9A51-4367-9063-A120244FBEC7) and CMLUAUTIL (3E000D72-A845-4CD9-BD83-80C07C3B881F).

Mitigation

IDM1038NameExecution PreventionDescription

Consider using application control configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

IDM1042NameDisable or Remove Feature or ProgramDescription

CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).