1. Home
  2. Techniques
  3. Enterprise
  4. System Binary Proxy Execution
  5. CMSTP

System Binary Proxy Execution: CMSTP

ID Name
T1218.001 Compiled HTML File
T1218.002 Control Panel
T1218.003 CMSTP
T1218.004 InstallUtil
T1218.005 Mshta
T1218.007 Msiexec
T1218.008 Odbcconf
T1218.009 Regsvcs/Regasm
T1218.010 Regsvr32
T1218.011 Rundll32
T1218.012 Verclsid
T1218.013 Mavinject
T1218.014 MMC
T1218.015 Electron Applications

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. [1] CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. [2] Similar to Regsvr32 / "Squiblydoo", CMSTP.exe may be abused to load and execute DLLs [3] and/or COM scriptlets (SCT) from remote servers. [4] [5] [6] This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.

CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. [3] [5] [6]

ID: T1218.003
Sub-technique of:  T1218
Tactic: Defense Evasion
Platforms: Windows
Contributors: Nik Seetharaman, Palantir; Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank
Version: 2.2
Created: 23 January 2020
Last Modified: 24 October 2025
Version Permalink

Procedure Examples

ID Name Description
S1149 CHIMNEYSWEEP

CHIMNEYSWEEP can use CMSTP.exe to install a malicious Microsoft Connection Manager Profile.[7]
G0080 Cobalt Group

Cobalt Group has used the command cmstp.exe /s /ns C:\Users\ADMINI~W\AppData\Local\Temp\XKNqbpzl.txt to bypass AppLocker and launch a malicious script.[8][9][10]
S1202 LockBit 3.0

LockBit 3.0 can attempt a CMSTP UAC bypass if it does not have administrative privileges.[11]
G0069 MuddyWater

MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.[12]

Mitigations

ID Mitigation Description
M1042 Disable or Remove Feature or Program

CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation).
M1038 Execution Prevention

Consider using application control configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries.

Detection Strategy

ID Name Analytic ID Analytic Description
DET0328 Detection of Malicious Profile Installation via CMSTP.exe AN0932

Execution of CMSTP.exe with arguments pointing to suspicious or remote INF/SCT/DLL payloads, optionally followed by outbound network connections to untrusted IPs, process injection via COM interfaces (CMSTPLUA, CMLUAUTIL), registry modifications registering malicious profiles, or creation of suspicious INF/DLL/SCT files prior to execution.

References

  1. Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018.
  2. Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved September 12, 2024.
  3. Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018.
  4. Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved September 12, 2024.
  5. Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.
  6. Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved November 17, 2024.
  1. Jenkins, L. at al. (2022, August 4). ROADSWEEP Ransomware - Likely Iranian Threat Actor Conducts Politically Motivated Disruptive Activity Against Albanian Government Organizations. Retrieved August 6, 2024.
  2. Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018.
  3. Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018.
  4. Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018.
  5. Walter, J. (2022, July 21). LockBit 3.0 Update | Unpicking the Ransomware’s Latest Anti-Analysis and Evasion Techniques. Retrieved February 5, 2025.
  6. Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.