Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.
CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
View in MITRE ATT&CK®| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| CM-06 | Configuration Settings | mitigates | T1218.003 | CMSTP | |
| CM-11 | User-installed Software | mitigates | T1218.003 | CMSTP | |
| SI-16 | Memory Protection | mitigates | T1218.003 | CMSTP | |
| RA-05 | Vulnerability Monitoring and Scanning | mitigates | T1218.003 | CMSTP | |
| CM-08 | System Component Inventory | mitigates | T1218.003 | CMSTP | |
| SI-10 | Information Input Validation | mitigates | T1218.003 | CMSTP | |
| SI-03 | Malicious Code Protection | mitigates | T1218.003 | CMSTP | |
| SI-07 | Software, Firmware, and Information Integrity | mitigates | T1218.003 | CMSTP | |
| CM-02 | Baseline Configuration | mitigates | T1218.003 | CMSTP | |
| CM-07 | Least Functionality | mitigates | T1218.003 | CMSTP | |
| SI-04 | System Monitoring | mitigates | T1218.003 | CMSTP |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| action.hacking.variety.Abuse of functionality | Abuse of functionality. | related-to | T1218.003 | CMSTP |
| Capability ID | Capability Description | Mapping Type | ATT&CK ID | ATT&CK Name | Notes |
|---|---|---|---|---|---|
| google_secops | Google Security Operations | technique_scores | T1218.003 | CMSTP |
Comments
Google Security Ops is able to trigger an alert when adversaries attempt to abuse Microsoft's Connection Manager Profile Installer to proxy the execution of malicious code.
This technique was scored as minimal based on low or uncertain detection coverage factor.
https://github.com/chronicle/detection-rules/blob/783e0e5947774785db1c55041b70176deeca6f46/soc_prime_rules/threat_hunting/sysmon/cmstp_exe_execution_detector__sysmon_behavior.yaral
References
|