CAR-2020-11-010: CMSTP
CMSTP.exe is the Microsoft Connection Manager Profile Installer, which can be leveraged to setup listeners that will receive and install malware from remote sources in trusted fashion.
When CMSTP.exe is seen in combination with an external connection, it is a good indication of this TTP.
ATT&CK Detections
| Technique | Subtechnique(s) | Tactic(s) | Level of Coverage |
|---|---|---|---|
| System Binary Proxy Execution | CMSTP | Defense Evasion | High |
D3FEND Techniques
| ID | Name |
|---|---|
| D3-PSA | Process Spawn Analysis |
Data Model References
| Object | Action | Field |
|---|---|---|
| process | create | exe |
| process | create | src_ip |
Implementations
Pseudocode - CMSTP (Pseudocode, CAR native)
This is a pseudocode representation of the below splunk search.
processes = search Process:Create
target_processes = filter processes where (
exe="C:\Windows\System32\CMSTP.exe" AND
src_ip NOT IN [10.0.0.0/8,192.168.0.0/16, 172.16.0.0/12] )
output target_processes
Splunk Search - CMSTP (Splunk, Sysmon native)
looks for instances of CMSTP.exe that are combined with external communication
(index=__your_sysmon_index__ EventCode=3) Image="C:\\Windows\\System32\\CMSTP.exe" | where ((!cidrmatch("10.0.0.0/8", SourceIp) AND !cidrmatch("192.168.0.0/16", SourceIp) AND !cidrmatch("172.16.0.0/12", SourceIp))
LogPoint Search - CMSTP (Logpoint, LogPoint native)
looks for instances of CMSTP.exe that are combined with external communication
norm_id=WindowsSysmon event_id=3 image="C:\Windows\System32\CMSTP.exe" -source_address IN HOMENET