The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List)
Detection: Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.
Platforms: Windows
Data Sources: Process Monitoring, Process command-line parameters
Defense Bypassed: Application whitelisting, Anti-virus
Permissions Required: User
Remote Support: No
Contributors: Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Adversaries may supply CMSTP.exe with INF files infected with malicious commands
Supported Platforms: Windows
| Name | Description | Type | Default Value |
|---|---|---|---|
| inf_file_path | Path to the INF file | path | T1191.inf |
cmstp.exe /s #{inf_file_path}