EXPLORE
Sign In
← Back to Explore
T1218.003

CMSTP

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twit...

Windows
21
Detections
3
Sources
2
Threat Actors

BY SOURCE

10elastic7sigma4splunk_escu

PROCEDURES (14)

Child Process3 detections

Auto-extracted: 3 detections for child process

Network Connection Monitoring3 detections

Auto-extracted: 3 detections for network connection monitoring

Ransomware2 detections

Auto-extracted: 2 detections for ransomware

Suspicious2 detections

Auto-extracted: 2 detections for suspicious

Process Creation Monitoring2 detections

Auto-extracted: 2 detections for process creation monitoring

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Bypass1 detections

Auto-extracted: 1 detections for bypass

Persist1 detections

Auto-extracted: 1 detections for persist

Registry Monitoring1 detections

Auto-extracted: 1 detections for registry monitoring

Module Load Monitoring1 detections

Auto-extracted: 1 detections for module load monitoring

Process Access Monitoring1 detections

Auto-extracted: 1 detections for process access monitoring

Bypass1 detections

Auto-extracted: 1 detections for bypass

Suspicious1 detections

Auto-extracted: 1 detections for suspicious

Script Execution Monitoring1 detections

Auto-extracted: 1 detections for script execution monitoring

THREAT ACTORS (2)

Cobalt GroupMuddyWater

DETECTIONS (21)

Bypass UAC via CMSTP
sigmahigh
CMLUA Or CMSTPLUA UAC Bypass
splunk_escu
CMSTP Execution Process Access
sigmahigh
CMSTP Execution Process Creation
sigmahigh
CMSTP Execution Registry Event
sigmahigh
CMSTP UAC Bypass via COM Object Access
sigmahigh
Delayed Execution via Ping
elasticlow
DLL Loaded From Suspicious Location Via Cmspt.EXE
sigmahigh
Execution from Unusual Directory - Command Line
elasticmedium
Outbound Network Connection Initiated By Cmstp.EXE
sigmahigh
Suspicious .NET Code Compilation
elasticmedium
Suspicious JetBrains TeamCity Child Process
elasticmedium
Suspicious Managed Code Hosting Process
elastichigh
Suspicious MS Office Child Process
elasticmedium
Suspicious MS Outlook Child Process
elasticlow
Suspicious PDF Reader Child Process
elasticlow
UAC Bypass With Colorui COM Object
splunk_escu
Unusual Network Activity from a Windows System Binary
elasticmedium
Unusual Process Network Connection
elasticlow
Wbemprox COM Object Execution
splunk_escu
Windows Unusual Process Load Mozilla NSS-Mozglue Module
splunk_escu