|Tactic||Defense Evasion, Execution|
|Data Sources||Process Monitoring, Process command-line parameters|
|Defense Bypassed||Application whitelisting, Anti-virus|
|Contributors||Ye Yint Min Thu Htut, Offensive Security Team, DBS Bank|
The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles.1 CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.
Adversaries may supply CMSTP.exe with INF files infected with malicious commands.2 Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs3 and/or COM scriptlets (SCT) from remote servers.45 This execution may also bypass AppLocker and other whitelisting defenses since CMSTP.exe is a legitimate, signed Microsoft application.
CMSTP.exe may not be necessary within a given environment (unless using it for VPN connection installation). Consider using application whitelisting configured to block execution of CMSTP.exe if it is not required for a given system or network to prevent potential misuse by adversaries.3
Use process monitoring to detect and analyze the execution and arguments of CMSTP.exe. Compare recent invocations of CMSTP.exe with prior history of known good arguments and loaded files to determine anomalous and potentially adversarial activity.
- Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved April 11, 2018.
- Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.
- Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018.