T1218.003: CMSTP

CMSTP is a Windows living-off-the-land technique where a legitimate Microsoft profile installer can be abused to run malicious commands, DLLs, or COM scriptlets through crafted INF files. Its business significance is that controls based only on trusted signatures or known-malware filenames may miss it, allowing adversaries to hide execution inside an approved system binary.

Executive priority

Prioritize this as a Windows defense-evasion control validation issue: can the organization distinguish legitimate Connection Manager profile installation from abuse of CMSTP.exe? Leaders should ask whether application control, endpoint telemetry, and SOC detections account for trusted-binary proxy execution rather than simply allowing Microsoft-signed binaries by default.

Technical view

For SOC and IR teams, validate coverage for CMSTP.exe execution with INF parameters, unusual parent or child process relationships, remote content access, DLL or COM scriptlet activity, and elevation patterns associated with UAC bypass behavior. ATT&CK provides no official detection text for this object, but the relationship to DET0328 indicates a detection strategy for malicious profile installation via CMSTP.exe should be reviewed or implemented where applicable.

Likely telemetry

Windows process creation events for cmstp.exe, including command line and parent process
File activity involving INF files used with CMSTP.exe
Network connections or remote content retrieval associated with cmstp.exe
DLL load and COM-related activity where available
Child process creation and elevation-related events following CMSTP.exe execution

Detection direction

Baseline legitimate CMSTP.exe usage; many environments may have little or no expected use.
Alert on CMSTP.exe launched from unusual parents, with suspicious INF paths, or followed by unexpected child processes.
Correlate CMSTP.exe activity with remote DLL or SCT retrieval where network and process telemetry are available.
Tune for false positives from legitimate Connection Manager profile installation, but do not rely on Microsoft signature trust alone.
Check for blind spots where command-line logging, process ancestry, network telemetry, or module/COM visibility is absent.

Mitigation priorities

Determine whether CMSTP.exe or Connection Manager profile installation is required; disable or remove unnecessary features where feasible under M1042.
Harden execution prevention under M1038 with application control and script blocking policies that account for trusted-binary abuse, not just unsigned malware.
Review AppLocker or WDAC-style rules for cases where CMSTP.exe is implicitly allowed because it is Microsoft-signed.
Restrict unauthorized script, DLL, and remote-content execution paths through endpoint policy and monitoring.
Use this technique as a test case for incident response readiness around living-off-the-land execution and UAC bypass investigation.

Analyst notes and limits

This object is a sub-technique of System Binary Proxy Execution and is limited to Windows in the supplied ATT&CK fields. Relationship context shows use by MuddyWater, Cobalt Group, CHIMNEYSWEEP, and LockBit 3.0, but that should be treated as ATT&CK context rather than evidence of activity in any specific environment.

The official ATT&CK detection field is not provided, so detection guidance is derived from the official behavior description, external references, and the supplied DET0328 relationship. Local validation is required to confirm whether CMSTP.exe is present, used legitimately, logged, or controlled.

Official MITRE ATT&CK definition

CMSTP

Adversaries may abuse CMSTP to proxy execution of malicious code. The Microsoft Connection Manager Profile Installer (CMSTP.exe) is a command-line program used to install Connection Manager service profiles. [1] CMSTP.exe accepts an installation information file (INF) as a parameter and installs a service profile leveraged for remote access connections.

Adversaries may supply CMSTP.exe with INF files infected with malicious commands. [2] Similar to Regsvr32 / ”Squiblydoo”, CMSTP.exe may be abused to load and execute DLLs [3] and/or COM scriptlets (SCT) from remote servers. [4] [5] [6] This execution may also bypass AppLocker and other application control defenses since CMSTP.exe is a legitimate binary that may be signed by Microsoft.

CMSTP.exe can also be abused to Bypass User Account Control and execute arbitrary commands from a malicious INF through an auto-elevated COM interface. [3] [5] [6]

View the same entry on attack.mitre.org (MITRE-hosted reference; in-page links above use the Glexia ATT&CK library.)

Glexia analysis

How security teams should use this page

Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.

ATT&CK relationship table

Related techniques

This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.

Filter related techniques 2 rows

Domain	ID	Name	Relationship / procedure
Enterprise	T1191	CMSTP	CMSTP revoked by this object.
Enterprise	T1218	System Binary Proxy Execution	This object subtechnique of System Binary Proxy Execution.

Associated objects

Groups, software, and campaigns

G0069: MuddyWater

MuddyWater is a cyber espionage group assessed to be a subordinate element within Iran's Ministry of Intelligence and Security (MOIS).[1] Since at least 2017, MuddyWater has targeted a range of government and private organizations across sectors, including telecommunications, local government, finance, defense, and oil and natural gas organizations, in the Middle East (specifically the UAE and Saudi Arabia), Asia, Africa, Europe, and North America. MuddyWater has reused domains dating back to October 2025, and has a preference for NameCheap and Hosterdaddy Private Limited (AS136557). In late 2025 and early 2026, MuddyWater used commercial satellite internet (i.e., Starlink) for command and control (C2) communication. [2][3][4][5][6][7][8][9][10][11][12][13]

G0080: Cobalt Group

Cobalt Group is a financially motivated threat group that has primarily targeted financial institutions since at least 2016. The group has conducted intrusions to steal money via targeting ATM systems, card processing, payment systems and SWIFT systems. Cobalt Group has mainly targeted banks in Eastern Europe, Central Asia, and Southeast Asia. One of the alleged leaders was arrested in Spain in early 2018, but the group still appears to be active. The group has been known to target organizations in order to use their access to then compromise additional victims.[1][2][3][4][5][6][7] Reporting indicates there may be links between Cobalt Group and both the malware Carbanak and the group Carbanak.[8]

S1149: CHIMNEYSWEEP

CHIMNEYSWEEP is a backdoor malware that was deployed during HomeLand Justice along with ROADSWEEP ransomware, and has been used to target Farsi and Arabic speakers since at least 2012.[1]

Windows

S1202: LockBit 3.0

LockBit 3.0 is an evolution of the LockBit Ransomware-as-a-Service (RaaS) offering with similarities to BlackMatter and BlackCat ransomware. LockBit 3.0 has been in use since at least June 2022 and features enhanced defense evasion and exfiltration tactics, robust encryption methods for Windows and VMware ESXi systems, and a more refined RaaS structure over its predecessors such as LockBit 2.0.[1][2][3][4]

Windows

Relationship explorer

All related ATT&CK context

uses · Malware S1149: CHIMNEYSWEEP Enterprise uses · Group G0069: MuddyWater Enterprise uses · Malware S1202: LockBit 3.0 Enterprise uses · Group G0080: Cobalt Group Enterprise revoked by · Technique T1191: CMSTP Enterprise detects · Detection Strategy DET0328: Detection of Malicious Profile Installation via CMSTP.exe Enterprise subtechnique of · Technique T1218: System Binary Proxy Execution Enterprise mitigates · Mitigation M1038: Execution Prevention Enterprise mitigates · Mitigation M1042: Disable or Remove Feature or Program Enterprise

Mitigations

Mitigation direction

M1038: Execution Prevention

Prevent the execution of unauthorized or malicious code on systems by implementing application control, script blocking, and other execution prevention mechanisms. This ensures that only trusted and authorized code is executed, reducing the risk of malware and unauthorized actions. This mitigation can be implemented through the following measures:

Application Control:

- Use Case: Use tools like AppLocker or Windows Defender Application Control (WDAC) to create whitelists of authorized applications and block unauthorized ones. On Linux, use tools like SELinux or AppArmor to define mandatory access control policies for application execution. - Implementation: Allow only digitally signed or pre-approved applications to execute on servers and endpoints. (e.g., `New-AppLockerPolicy -PolicyType Enforced -FilePath "C:\Policies\AppLocker.xml"`)

Script Blocking:

- Use Case: Use script control mechanisms to block unauthorized execution of scripts, such as PowerShell or JavaScript. Web Browsers: Use browser extensions or settings to block JavaScript execution from untrusted sources. - Implementation: Configure PowerShell to enforce Constrained Language Mode for non-administrator users. (e.g., `Set-ExecutionPolicy AllSigned`)

Executable Blocking:

- Use Case: Prevent execution of binaries from suspicious locations, such as `%TEMP%` or `%APPDATA%` directories. - Implementation: Block execution of `.exe`, `.bat`, or `.ps1` files from user-writable directories.

Dynamic Analysis Prevention: - Use Case: Use behavior-based execution prevention tools to identify and block malicious activity in real time. - Implemenation: Employ EDR solutions that analyze runtime behavior and block suspicious code execution.

M1042: Disable or Remove Feature or Program

Disable or remove unnecessary and potentially vulnerable software, features, or services to reduce the attack surface and prevent abuse by adversaries. This involves identifying software or features that are no longer needed or that could be exploited and ensuring they are either removed or properly disabled. This mitigation can be implemented through the following measures:

Remove Legacy Software:

- Use Case: Disable or remove older versions of software that no longer receive updates or security patches (e.g., legacy Java, Adobe Flash). - Implementation: A company removes Flash Player from all employee systems after it has reached its end-of-life date.

Disable Unused Features:

- Use Case: Turn off unnecessary operating system features like SMBv1, Telnet, or RDP if they are not required. - Implementation: Disable SMBv1 in a Windows environment to mitigate vulnerabilities like EternalBlue.

Control Applications Installed by Users:

- Use Case: Prevent users from installing unauthorized software via group policies or other management tools. - Implementation: Block user installations of unauthorized file-sharing applications (e.g., BitTorrent clients) in an enterprise environment.

Remove Unnecessary Services:

- Use Case: Identify and disable unnecessary default services running on endpoints, servers, or network devices. - Implementation: Disable unused administrative shares (e.g., C$, ADMIN$) on workstations.

Restrict Add-ons and Plugins:

- Use Case: Remove or disable browser plugins and add-ons that are not needed for business purposes. - Implementation: Disable Java and ActiveX plugins in web browsers to prevent drive-by attacks.

Change history

Object version and sync metadata

The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .

ATT&CK release: 19.1
Object version: 3.0
Created: Jan 23, 2020, 18:27 UTC (UTC+00:00)
Modified: May 12, 2026, 15:12 UTC (UTC+00:00)
Raw hash: 84a1b52ac3c85fdc...

Imported snapshots across ATT&CK releases (1)

Release	Bundle imported	Object version	Modified	Status	Raw hash
19.1	May 18, 2026, 07:08 UTC (UTC+00:00)	3.0	May 12, 2026, 15:12 UTC (UTC+00:00)	Current bundle	`84a1b52ac3c8…`

Raw source

Mirrored ATT&CK source object

The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.

Open mirrored raw JSON Open MITRE-hosted copy

Source references

External references and citations

MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.

[1]
Microsoft Connection Manager Oct 2009

Microsoft. (2009, October 8). How Connection Manager Works. Retrieved April 11, 2018.
Open source URL
[2]
Twitter CMSTP Usage Jan 2018

Carr, N. (2018, January 31). Here is some early bad cmstp.exe... Retrieved September 12, 2024.
Open source URL
[3]
MSitPros CMSTP Aug 2017

Moe, O. (2017, August 15). Research on CMSTP.exe. Retrieved April 11, 2018.
Open source URL
[4]
Twitter CMSTP Jan 2018

Tyrer, N. (2018, January 30). CMSTP.exe - remote .sct execution applocker bypass. Retrieved September 12, 2024.
Open source URL
[5]
GitHub Ultimate AppLocker Bypass List

Moe, O. (2018, March 1). Ultimate AppLocker Bypass List. Retrieved April 10, 2018.
Open source URL
[6]
Endurant CMSTP July 2018

Seetharaman, N. (2018, July 7). Detecting CMSTP-Enabled Code Execution and UAC Bypass With Sysmon.. Retrieved November 17, 2024.
Open source URL
[7]
mitre-attack T1218.003
Open source URL

Source and licensing

Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.

Official MITRE ATT&CK site Official STIX data repository MITRE ATT&CK terms of use

Analyst context for executives and security teams