T1218.003 CMSTP Mappings

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate, signed Microsoft application.

CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)

View in MITRE ATT&CK®

Mappings

Capability ID Capability Description Mapping Type ATT&CK ID ATT&CK Name
CM-2 Baseline Configuration Protects T1218.003 CMSTP
CM-6 Configuration Settings Protects T1218.003 CMSTP
CM-7 Least Functionality Protects T1218.003 CMSTP
CM-8 System Component Inventory Protects T1218.003 CMSTP
RA-5 Vulnerability Monitoring and Scanning Protects T1218.003 CMSTP
SI-10 Information Input Validation Protects T1218.003 CMSTP
SI-4 System Monitoring Protects T1218.003 CMSTP
SI-7 Software, Firmware, and Information Integrity Protects T1218.003 CMSTP
action.hacking.variety.Abuse of functionality Abuse of functionality related-to T1218.003 Signed Binary Proxy Execution: CMSTP