discord

CMSTP

CMSTP [T1218.003]

Information

  • Name: CMSTP

  • ID: T1218.003

  • Tactics: TA0005

  • Technique: T1218

Introduction

CMSTP (Connection Manager Profile Installer) abuse, identified as sub-technique T1218.003 within the MITRE ATT&CK framework, involves adversaries leveraging the legitimate Windows utility CMSTP.exe to execute arbitrary commands and bypass application whitelisting or security controls. CMSTP is a built-in Windows command-line tool used to install Connection Manager service profiles, typically utilized to manage remote network connections. Attackers exploit this legitimate functionality to execute malicious payloads without raising immediate suspicion, as CMSTP is a trusted Microsoft-signed binary.

Deep Dive Into Technique

CMSTP.exe is native to Windows and resides typically within the %SystemRoot%\System32 directory. Its legitimate purpose is installing Connection Manager service profiles (.inf files) that contain settings for remote network connections. Adversaries exploit CMSTP by crafting malicious INF files containing embedded commands or scripts, which CMSTP executes upon installation.

Technical details and mechanisms of CMSTP abuse include:

  • Malicious INF File Creation:

    • Attackers create specially crafted INF files containing malicious commands or payloads within the [RunPreSetupCommandsSection] or [RunPostSetupCommandsSection].

    • Example INF file snippet:

      [version]
Signature=$chicago$
AdvancedINF=2.5

[DefaultInstall_SingleUser]
RunPreSetupCommands=RunCommandsSection

[RunCommandsSection]
cmd.exe /c malicious_payload.exe

  • Execution Method:

    • The attacker invokes CMSTP.exe via command line:

      cmstp.exe /s malicious.inf

    • The /s parameter specifies silent installation, preventing user interaction and reducing visibility.

  • Bypassing Security Controls:

    • CMSTP is signed by Microsoft, allowing it to bypass application whitelisting solutions, such as AppLocker, Device Guard, and Windows Defender Application Control (WDAC).

    • Execution via CMSTP often evades detection by endpoint security products due to its legitimate use and trusted signature.

  • Persistence and Privilege Escalation:

    • CMSTP can execute payloads with user-level privileges. If executed with administrative privileges or combined with privilege escalation techniques, attackers can achieve elevated access or persistence.

When this Technique is Usually Used

Attackers commonly leverage CMSTP abuse in various attack scenarios and stages, including:

  • Initial Access and Execution:

    • Delivering initial payloads through phishing emails or malicious documents containing embedded INF files and scripts.

    • Executing payloads directly from compromised hosts by downloading and executing malicious INF files.

  • Defense Evasion:

    • Evading application whitelisting tools such as AppLocker, WDAC, and other security measures by leveraging trusted Microsoft binaries.

    • Avoiding detection by endpoint protection solutions due to the legitimate nature of CMSTP.exe.

  • Persistence:

    • Establishing persistent backdoors or scheduled tasks by leveraging CMSTP to execute scripts or commands at system startup or user login.

  • Privilege Escalation:

    • Combining CMSTP execution with other privilege escalation vulnerabilities or misconfigurations to achieve administrative privileges.

How this Technique is Usually Detected

Detection of CMSTP abuse typically involves monitoring and analyzing system events, process executions, and file activities. Effective detection methods include:

  • Process Monitoring and Logging:

    • Monitor execution of CMSTP.exe processes, especially with suspicious command-line arguments (/s, /au, or custom INF file paths).

    • Tools: Sysmon, Windows Event Logs, Endpoint Detection and Response (EDR) solutions.

  • Command-Line Analysis:

    • Identify unusual or suspicious command-line parameters used with CMSTP.exe.

    • Example suspicious command-line:

      cmstp.exe /s C:\Users\Public\malicious.inf

  • File Creation and Access Monitoring:

    • Monitor creation, modification, or execution of INF files in unusual locations (e.g., temporary folders, user profile directories).

    • Tools: Sysmon file creation events, file integrity monitoring tools.

  • Behavioral Anomaly Detection:

    • Identify anomalous patterns of CMSTP usage, such as execution from scripts, macros, or unexpected parent processes (e.g., Office applications, browsers, scripting engines).

  • Indicators of Compromise (IoCs):

    • Suspicious INF file content containing [RunPreSetupCommandsSection] or [RunPostSetupCommandsSection] sections.

    • Unexpected execution of cmd.exe, powershell.exe, or other scripting binaries spawned from CMSTP.exe.

    • Unusual network connections or payload downloads following CMSTP execution.

Why it is Important to Detect This Technique

Early and accurate detection of CMSTP abuse is critical due to several significant risks and potential impacts on systems and networks, such as:

  • Defense Evasion:

    • CMSTP abuse allows attackers to bypass application whitelisting, endpoint security solutions, and standard antivirus detection, making it challenging to detect and respond quickly.

  • Persistence and Lateral Movement:

    • Attackers may establish persistent footholds, enabling continued unauthorized access, lateral movement, and prolonged compromise within the environment.

  • Privilege Escalation and System Compromise:

    • Attackers leveraging CMSTP in conjunction with privilege escalation vulnerabilities can gain administrative rights, leading to deeper system compromise, data exfiltration, and potential ransomware deployment.

  • Increased Difficulty in Incident Response:

    • The legitimate nature of CMSTP.exe complicates forensic investigations and incident response efforts, increasing attacker dwell time and potential damage.

Detecting CMSTP abuse early helps mitigate risks, limit attacker impact, and reduce remediation costs and complexity.

Examples

Real-world examples and documented attack scenarios involving CMSTP abuse include:

  • APT32 (OceanLotus):

    • Known to leverage CMSTP.exe to execute malicious INF files containing payloads, bypassing application whitelisting and evading detection.

    • Attackers delivered malicious INF files via spear-phishing emails, executing payloads silently to establish persistence and command-and-control (C2) channels.

  • FIN7 Threat Group:

    • Utilized CMSTP.exe abuse in targeted attacks against financial and retail sectors, embedding malicious scripts within INF files to execute payloads and bypass security solutions.

    • CMSTP allowed FIN7 to evade endpoint detection and response (EDR) products and maintain persistent access to compromised environments.

  • Red Team and Penetration Testing Tools:

    • Open-source offensive security frameworks (e.g., Atomic Red Team, Metasploit modules, PowerSploit) include CMSTP abuse techniques for testing detection and response capabilities in enterprise environments.

    • Example Atomic Red Team test:

      cmstp.exe /s atomic_red_team.inf

    • Such tests demonstrate the ease of exploitation and importance of robust detection mechanisms.

These examples highlight the practical use, effectiveness, and potential impact of CMSTP abuse in real-world attacks, emphasizing the necessity of proactive detection and mitigation strategies.

Last updated

Was this helpful?