cmstp.exeSYSTEM UTILITYcmstp.exe - Connection Manager LOLBin Security Analysis
cmstp.exe (Microsoft Connection Manager Profile Installer) is a Windows utility for installing connection profiles. It is a **dangerous LOLBin** that can **execute arbitrary commands** and **DLLs** via malicious INF files, bypassing **application whitelisting** including AppLocker and Device Guard.
Risk Summary
CRITICAL priority for SOC triage. cmstp.exe is a potent LOLBin that bypasses application whitelisting. Any execution of cmstp.exe with an INF file is **highly suspicious** and warrants immediate investigation.
Overview
What is cmstp.exe?
cmstp.exe installs Connection Manager service profiles.
Legitimate Functions
Connection Profiles:
- Install VPN profiles
- Configure dial-up connections
- Deploy network settings
Security Significance
- LOLBin Status: Executes arbitrary code via INF
- UAC Bypass: Can bypass UAC via COM interface
- Whitelisting Bypass: Bypasses AppLocker
- Signed Binary: Microsoft signed
Normal Behavior
Normal Behavior
Expected Process State
| Property | Expected Value |
|---|---|
| Path | C:\Windows\System32\cmstp.exe |
| Parent | Manual execution (rare) |
| User | Administrator |
| Frequency | Very rare |
Modern Reality
⚠️ cmstp.exe execution is SUSPICIOUS BY DEFAULT
Legitimate use is extremely rare
Common Locations
C:\Windows\System32\cmstp.exeC:\Windows\SysWOW64\cmstp.exeSuspicious Indicators
Legitimate vs Suspicious
LEGITIMATE (Very Rare)
Context: Enterprise VPN profile deployment
Frequency: Extremely rare
INF File: Signed, from IT department
SUSPICIOUS (Default)
Command: cmstp.exe /s /ns malicious.inf
cmstp.exe /au /ni payload.inf
Context: Any unexpected execution
INF from user-writable location
Abuse Techniques
Attack Techniques
Technique #1: Code Execution via INF (T1218.003)
Malicious INF File:
[Version]
Signature=$chicago$
AdvancedINF=2.5
[DefaultInstall]
CustomDestination=CustInstDestSectionAllUsers
RunPreSetupCommands=RunPreSetupCommandsSection
[RunPreSetupCommandsSection]
powershell.exe -ep bypass -w hidden -c "IEX(...)"
Execution:
cmstp.exe /s /ns C:\temp\malicious.inf
Technique #2: UAC Bypass (T1548.002)
CMSTP has auto-elevate capabilities via COM.
Technique #3: AppLocker Bypass (T1218.003)
CMSTP is typically whitelisted, allowing code execution.
Detection Guidance
Detection Strategies
Priority #1: Any CMSTP Execution
Process = "cmstp.exe"
→ ALERT: HIGH - Investigate immediately
Sigma Rule:
title: CMSTP Execution
logsource:
product: windows
category: process_creation
detection:
selection:
Image|endswith: '\cmstp.exe'
condition: selection
level: high
Priority #2: INF File Execution
Process = "cmstp.exe" AND
CommandLine CONTAINS ".inf"
→ ALERT: CRITICAL
Priority #3: Silent Execution
Process = "cmstp.exe" AND
CommandLine CONTAINS ["/s", "/au", "/ni"]
→ ALERT: CRITICAL - Silent code execution
Remediation Steps
Protection and Remediation
Defense: Block CMSTP
Block cmstp.exe execution via AppLocker custom rule.
Defense: Monitor INF Files
Alert on INF file creation in user-writable locations.
If Compromise Suspected
- Locate the INF file used
- Analyze INF content
- Identify executed payloads
- Hunt for persistence
- Contain and remediate
Investigation Checklist
Investigation Checklist
- Verify cmstp.exe execution occurred
- Identify the INF file used
- Analyze INF file content
- Check for encoded commands
- Identify child processes
- Review network connections
- Hunt for persistence